Professional Documents
Culture Documents
De Wolf - Privacy by Design
De Wolf - Privacy by Design
11.1 Introduction
according to Pew Research Center.2 The third wave of the Digimeter3 states that
58.8% of the online population in Flanders has an account on a SNS. The claim of
Deuze4 that people tend to be living more ‘in media’ than ‘with media’ lies closer
to the truth than we would think. This transition to mass self-communication brings
along not only opportunities, but also risks for the user.
We consider these technologies as empowering for the user, building up an online
identity and managing their social network. However, SNS are often contested
because of privacy issues. In literature a distinction is made between social privacy
and instrumental privacy in SNS. Social privacy is defined as the ‘control of infor-
mation flow about how and when personal information is shared with other peo-
ple.’5 Context collision6 or context collapse7 represent such problems from the
perspective of social privacy. It refers to the blurring of contexts in an online envi-
ronment, whereas in an offline environment more or less strict barriers can be dis-
tinguished. Instrumental privacy refers to personal data being accessed by
governments and corporations, e.g. using data mining and related statistical anal-
ysis methods.8 This distinction makes us aware of the different nature of privacy
problems on SNS. A notion that should also be translated in possible solutions.
However these privacy definitions are not optimal, because the role of the user in
both definitions is left undefined and the interconnection between both concepts is
overlooked. The user as social being can therefore act in an instrumental manner as
well. Rather, we propose to make a distinction between ‘privacy as subject’ and
‘privacy as object’. In ‘privacy as subject’ we allocate a more or less active role to
the user. We consider the user as an active subject defining who can and cannot see
her personal information flow. It is not just about the information flow an sich, but
also on using this information for creating meaning in a social context. In ‘privacy
as object’ we consider the user as undergoing social reality and state that the infor-
mation considered here is part of a bigger economic system. The disclosure of
information is needed to obtain another result. For example, we need to disclose
personal information to an online form in order to purchase something. Throughout
this paper ‘privacy as subject’ and ‘privacy as object’ will be used.
Taking the two privacy conceptions together we see a common trend where
the responsibility is pushed towards the individual user, who often does not – or
cannot – question the technology he is using. This phenomenon is indicated as the
2
Pew Internet & American Life Project, http://pewinternet.org.
3
Digimeter, http://digimeter.be.
4
Mark Deuze, “Media life.” (Media, Culture and Society 33, 2011), 137–148.
5
Kate Raynes-Goldie, “Aliases, creeping, and wall cleaning: Undertanding privacy in the age of
Facebook,” First Monday 15 (2010), accessed November 30, 2011, http://firstmonday.org/htbin/
cgiwrap/bin/ojs/index.php/fm/article/viewArticle/2775/2432.
6
Raynes-Goldie, “Aliases creeping.”
7
Danah Boyd, “Taken out of context: American teen sociality in networked publics” (Ph.D. diss.,
University of California, 2008).
8
Danah Boyd and Eszter Hargittai, “Facebook privacy settings: who cares?” First Monday 15
(2010), accessed November 30; 2011, http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/
article/viewArticle/3086/2589.
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 243
9
Kim Cameron, “The laws of identity”, Kim Cameron’s Identity Weblog.
10
Ann Cavoukian. Privacy by Design: take the challenge. Information and Privacy Commissioner
of Ontario, Canada, 2009.
11
European Parliamentarytechnology assessment, http://eptanetwork.org/what.php.
12
Wim Smit and Ellen van Oost. De Wederzijds beïnvloeding van technologie en maatschappij – een
technology assessment-benadering, (Bussum: Uitgeverij Coutinho, 1999).
244 R. De Wolf et al.
13
Seda Gürses, Carmela Troncoso and Claudia Diaz,“Engineering Privacy by Design”, (Paper
presented at the annual CPDP conference, Brussels, January 29–30, 2011).
14
Ann Cavoukian, “Privacy by Design.”
15
Ann Cavoukian, “Privacy by Design.”
16
Seda Gürses et al.,“Engineering Privacy.”
17
Roger Silverstone and Leslie Haddon. “Design and domestication of infomration and communi-
cation technologies: technical change and everyday life”, in Communication by design: the politics
of information and communication technologies, ed. Robin Mansell and Roger Silverstone.
(Oxford: Oxford University Press, 1996): 44–47. – Thomas Berker, Maren Hartmann, Yves Punic
and Katie Ward. Domestication of media and technology. (Berkshire, Open University Press,
2005): 255.
18
Wendy van den Broeck, “From analogue to digital: the silent (r)evolution? A qualitative study on
the domestication of interactive digital television in flanders.” (Ph.D. dissertation, Free University
of Brussels, 2011)
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 245
floating around in an empty space but are embedded in the everyday life of users.
Not everyone consumes technologies in the same manner. Different meanings are
instead attached to technology by the user. In other words, technologies are socially
constructed in the practices of the users, in line with the social construction perspec-
tive in Science and Technology Studies.19 By studying how the latter is consumed
we get a grip on the social requirements of technology. This can be defined as the
‘requirements that are extracted from the social background of everyday life of
people, with an emphasis on groups or communities and the social practices
within.’20 The concept of social requirements can be explained more thoroughly
when contrasting them with user requirements, also known as classic human-
computer interaction. User requirements focus on the direct needs of the (individ-
ual) user in relation to the product itself. Whereas, social requirements focus on the
needs of the user of an application in interaction with other users. We prefer the term
social requirements because identity is our scope of analysis and identity becomes
meaningless if it is reduced to the actions of one person only.
The seven laws of identity were developed by Kim Cameron who was at that time
Identity and Access Architect for the Microsoft Corporation. His motivation for
writing this document went further than the task he was given by Microsoft. Cameron
formulates seven laws or requirements that should be present in identity related
services in order to succeed as a trusted service. These laws have been adapted in
An Cavoukian’s PBD book21 and in Microsoft’s identity metasystem.22 This demon-
strates that they are practical enough to be implemented. But are they also good
enough to enable privacy control by users involved in mass self-communication?
Although Cameron refers to laws, we can easily interpret these guidelines as
requirements because they always refer to the technical system, i.e.: ‘Technical
identity systems must only reveal information identifying a user with the user’s
consent.’23 He has adopted this goal because he believes there are tendencies that
19
Hughie Mackay and Gareth Gillespie. “Extending the social shaping of technology apprach:
ideology and appropriation.” (Social Studies of Science 22, 1992): 685–716. – Nelly Oudshoorn
and Trevor Pinch, How users matter: the co-construction of users and technologies. London.
(London University Press, 2003).
20
Lotte Vermeir, Tim Van Lier, Jo Pierson and Bram Lievens, “Making the online complementary
to the offline: social requirements to foster the ‘sens of community” Paper presented at IAMCR
conference, Sweden, 2008.
21
Ann Cavoukian, “Privacy by Design.”
22
Tom Olzak, “Unified Identity Mangement”, (InfosecWriter, 2006).
23
Kim Cameron, “The laws of identity”, Kim Cameron’s Identity Weblog.
246 R. De Wolf et al.
will ‘erode public trust in the Internet.’24 This would threaten the possible positive
future of the Internet. The corrosion of trust inherent in the web of the 90s: ‘The
Internet was built without a way to know who and what you are connecting to. This
limits what we can do with it and exposes us to growing dangers.’25
The same aspect of not knowing to whom or what a user is connecting is also
apparent on SNS. With regard to SNS, we want to see an answer to this question of
connection, because we expect that users are unable to fully perceive to whom they
are connecting. This issue causes privacy and trust problems, which are one of the
biggest forms of trust erosion on social media. We therefore wish to reinvestigate
the seven laws of identity for privacy on social media. We believe that these laws
may comprise liberating affordances for the Internet, especially in an age of mass
self-communication. The seven laws of identity are the following.26
Law 1: User control and consent
‘Technical identity systems must only reveal information identifying a user with
the user’s consent.’ The individual is regarded as the most important part of the
identity metasystem. The technology must be in control of the user and not the
other way around. Moreover the technology should protect the user from decep-
tion, e.g. phishing.
Law 2: Minimal disclosure for a constrained use
‘The solution which disclosues the least amount of identifying information and
best limits its use is the most stable long term solution.’ A breach is always pos-
sible. Therefore a ‘need to know’ basis of the identity metasystem is preferred.
Cameron gives the example of ‘age category’ being different from ‘birth date’.
‘If a scenario requires proof of being a certain age, then it is better to acquire
and store the age category rather than the birth date. Date of birth is more likely,
in association with other claims, to uniquely identify a subject, and so represents
“more identyfying information” which should be avoided if it is not needed.’
Law 3: Justifiable parties
‘Digital identity systems must be designed so the disclosure of identifying infor-
mation is limited to parties having necessary and justifiable place in a given
identity relationship.’ The user must understand with whom information is being
shared. Infocards a Windows identity Metasystem integrated in Internet Explorer
7 is a clear operationalization of this notion.27 Windows designed a metasystem
in which users can decide how much information they disclose to whom on the
Internet through a standardised system. This system has many similarities to
Facebook’s identity system.
24
Kim Cameron, “Laws of identity.”
25
Kim Cameron, “Laws of identity.”
26
The seven laws presented here are entirely based on the document of Kim Cameron “Laws of
identity.”
27
Tom Olzak, “Unified Identity Management”
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 247
In describing the initial social requirements, which have initially been worked out,
we will differentiate between the social requirements of identity processes and the
social requirements of privacy issues. The first set on requirements focusses on the
248 R. De Wolf et al.
needs and advantages of announcing the identity on SNS, intertwined with contextual
privacy problems. The second set of requirements focus on what users want and
need in protecting their privacy on SNS. We have separated these requirements
because they cannot be reduced to each other, e.g. a teacher may announce herself
as a good-looking single, open for relationships on a SNS (identity requirement), but
she may want to keep this from her students (privacy requirement). We should
emphasize that the social requirements will be only briefly discussed here. For a
more elaborate view on these requirements and the theoretical and methodological
background reference is made previous work by De Wolf and Pierson discussing the
Symbolic Interactionist perspective on linking privacy and identity on social network
sites.28 For the purposes of this paper it suffices to say that 15 adolescents between
the age of 14 and 18 were interviewed regarding their online behaviour on Facebook
and Smartschool (a Belgian digital learning platform). All interviews were obtained
in June and July 2011 in Flanders (the Northern part of Belgium) and took place in a
public setting like a library or a pub. The focus is on how an online self on SNS is
acquired and how this interconnects with the context problems of privacy. To pin
down the relationship between identity and privacy the theoretical framework of
Symbolic Interactionism combined with a qualitative ethnographic study was used.
28
Ralf De Wolf and Jo Pierson, “‘Symbolic Interactionist perspective on linking privacy and identity
on social network sites” Congres paper for ICA 2012. (Submitted)
29
With this problem we refer to the fact that people often do not know what happens with their
personally identifiable information (PII), with questions like, ‘who gathers it?’ and ‘why do they
gather it?’ – Daniel Solove, “Privacy and power: computer databases and metaphors for information
privacy”, (Stanford law review 53, 2001),1393.
30
With context collision we refer to the collapsing or blurring of different contexts online – Danah
Boyd, “Taken out of context.”
31
Danah Boyd, “Taken out of context.”
32
Danah Boyd, “Taken out of context.”
33
Forced disclosure refers to the ongoing process of clarifying private information through private
information. A problem, combined with context collison that can cause annoying problems for the user –
Jeffrey Rosen, “Out of context: the purposes of privacy.” (Social Research 68, 2001): 209–222.
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 249
On the one hand, all of these issues seem like privacy invasive elements. On the
other hand, these elements seem to have a positive influence on many identity pro-
cesses among the adolescent population. In this section four important so-called
social requirements of identity are briefly explained.
1. A first social requirement of identity emphasizes the possibility announcing the
own identity in ways that are easier, less direct, complementary and new in com-
parison to an offline environment. In previous work we found that the process of
announcements, that is presenting the own identity to the outside world, is facili-
tated when there are no clear boundaries in the context in which one is acting. For
example, it is easier to change your relationship status on Facebook from ‘in a
relationship with’ to ‘single’ than to explain it over and over again in the offline
world to different groups of people.
2. Moreover it seems that filling up this fuzzy context environment of SNS with
meaning is empowering and liberating for the user. For example, Facebook is also
used as an outlet for frustrations when nobody is around or direct conversation is
perceived as undesirable.
3. Not only announcements but also placements,34 that is the acknowledgement and
placing of the other in the identity that is being announced, seem to be facilitated.
For example, the like-button was perceived as a useful tool to easily place one
another.
4. Last but not least the process of altercasting seems to be modified on SNS.
Altercasting can be defined as ‘the social process in which a person’s acts constrain
and shape acts of another by “casting” the other into a role of the altercaster’s
choosing’, thus Hewitt.35 It is often difficult to define the relationship one has
with others. Facebook was used as a tool to make these relationships more clear
and prominent. For example, tagging other people in your own profile picture
with the inscriptions like ‘best friends’.
It is our task as social scientists to take into account these positive features of SNS
when developing privacy enhancing technologies. Otherwise there is the possibility
of harming the identity layer and uniqueness of announcing the identity on SNS.
34
These concepts are used within the framework of Symbolic Interaction and can be seen as two
sides of the same coin in identity formation. The former is everything a person does to bind himself
with a specific identity. The latter is the reaction of others in confirming the announced identity.
35
John Hewitt, Self and Society: a symbolic interactionist social psychology (10th ed.). (Boston
Mass.: Allyn and Bacon, 2007), 167.
36
Danah boyd, “Taken out of context.”
250 R. De Wolf et al.
37
Jeffery Rosen, “Out of context.”
38
John Hewitt, Self and society, 75.
39
Smartschool is a commercial digital learning environment (DLE) owned by Smartbit in Belgium.
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 251
the generalized others of communities of interest the users are involved with
offline could also influence their behaviour without being depriving.
4. Stimulating the process of deindividuation in order to stimulate privacy behaviours
on SNS. The remark ‘everybody else is using the platform, so why shouldn’t I’ was
a phrase that was often heard during the interviews. It seems like the respondents
are immersed in the mass and in that way feel invulnerable. Reversing this process
of deindividuation in order to make the user responsible for her actions on SNS
could be of value in developing privacy enhancing technologies. The table below
summarizes the different social requirements of identity and privacy (Table 11.1).
In this section we will bundle the previous section on social requirements together
with identity and community literature on SNS to compose four identity claims. (1)
Offline and online communities are intertwined but not the same, (2) personal infor-
mation on (the Internet) is networked, (3) individuals are often unaware of their
identity processes and (4) privacy, identity and capitalism are interconnected.
On the basis of these four claims we would like to update the seven laws of identity
into a useful tool in the process of requirement engineering.
‘Community’ is an old concept and often contested in its nature. It is beyond the
scope of this paper to elaborate on all the different views of community in present
society, but in order to prove the previously mentioned identity claim, the view of
252 R. De Wolf et al.
40
Howard Rheingold. The virtual community: homesteading on the electric frontier. (USA: MIT
Press, 2000).
41
Malcom Parks, “Social network sites as virtual communities” in A networked self: identity, community
and culture on social network sites, ed. Zizi Paparachissi (New York and London, Routledge, 2011).
42
Gerard Delanty, Community, (London and New York, Routledge, 2003).
43
Zygmunt Bauman. “Identity in the globalizing world.” In Identity in question, ed. Anthony Elliot
and Paul du Gay (Sage publications, 2008). – Gerard Delanty, Community – Craig Calhoun,
“Community without propinquity revisited: communications technology and the transformation of
the urban public sphere”, Sociological inquiry 68 (1998): 373–397.
44
Cliff Lampe et al., “a face(book) in the crowd.” Paper presented at the 2006 20th anniversary
conference on Computer supported cooperative work – CSCW, Canada, 2006.
45
Danah boyd and Nicole Ellison, “social network sites: Definiton, history, and scholarship”,
Journal Computer-Mediated Communication 13 (2007).
46
Danah boyd, “Friends, friendster, and myspace top 8: writing community into being on social
network sites”, First Monday 11 (2006).
47
Daniel Miller and Don Slater, The Internet: An Ethnographic Approach, (London: UK: Berg, 2000).
48
Malcom Parks, “Social network sites.”
49
“Pew Internet and American Life Project.”
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 253
However, this is only a segment of our first identity claim. We also want to prove
that the offline and online world differ quite substantially. We will start by elaborating
upon a concept of Zhao et al.,50 namely ‘hoped-for-possible selves’. Zhao et al. state
that the way people profile themselves in an offline environment differs consider-
ably from an online environment, which can exert positive influences on the self-
image and esteem. So they conceive identity construction as different in a nonymous51
online world (e.g. Facebook) versus a nonymous offline world. A nonymous envi-
ronment refers to an online context in which the offline identity is displayed. He uses
the term nonymous to contrast with an anonymous online environment, in which
people do not have to display their offline identity, e.g. online dating site match.
com. Consequently, there does not have to be a connection to the offline world in the
latter. In a nonymous online environment people have to display their offline iden-
tity, but have control over how it is displayed. It looks like people take advantage of
this opportunity to ‘stretch the truth a bit, for creating their hoped-for-possible-
selves’, as Zhao et al. would say. De Wolf and Pierson52 investigated how the online
self is acquired on SNS and found that identity processes are perceived differently
than in an offline world. ‘Behaviour on Facebook can be seen like a performance on
stage. The respondents – usually – did not want to profile themselves to just one
person or segment. They wanted to announce their own identity to the world’,
according to De Wolf and Pierson.53 This kind of interpretation of identity processes
online leaves room for behaviour that otherwise would not be performed in the
offline world. In a previous sect. (11.3.2) we described these behaviours as social
requirements of identity on SNS.
On the topic of privacy online, boyd54 stated recently ‘that the solution to this puzzle
will not be to restrict data collection or to enhance individual control over specific
items of data, but to think long and hard about what happens as the data flows across
networks and as the data is networked together. This requires moving beyond the
individual and focussing on the collective’. Like boyd we think that we need to focus
beyond the individual control over data. Moreover, it seems necessary to mitigate the
responsibilization of the individual in this process. In this section we will use the
50
Shanyang Zhao et. al., “Identity construction on facebook: Digital empowerment in achored
relationships”, Computers in Human behaviour 24 (2008): 1816–1836.
51
The concept of nonymous is used to constrast with anonymous.
52
Ralf De Wolf and Jo Pierson, “‘Symbolic Interactionist perspective.”
53
Ralf De Wolf and Jo Pierson, “‘Symbolic Interactionist perspective.”
54
Danah boyd, “Networked privacy”, http://www.danah.org/papers/talks/2011/PDF2011.html.
254 R. De Wolf et al.
Symbolic Interactionist (SI)55 view to elaborate how the self is socially constructed
and how everything about information is networked in an online and offline world.
According to SI, it is the act of speech that is an essential factor for the evolutionary
development of human consciousness. Hewitt56 states that this factor has three
consequences for human life: (a) It transforms the environment people live in,
because we can manipulate the environment and transform it from relative concrete
to more or less abstract; (b) the possibility to displace oneself into the other, by
which shared meaning can be established and; (c) the individual can become part of
the environment. If individuals can designate the environment through symbols, it
is also possible in designating oneself as an object as well as being acted upon. We
think that this latter fact is often over-emphasized, whereas the accent should be on
‘interaction’ and not on the ‘individual’.
There are a lot of different factors that an individual has to take into account in
order to coincide the own behaviour with that of the situation and others: what role
should be performed, what content could be brought up, how content ought to be
brought up, etc. If we were to grasp this on a more abstract level we could ask our-
selves why we always put the individual into the centre of attention in identity for-
mation that is socially constructed. Other factors seem to be equally important. Of
course, having an individualistic view on the user is not a problem as long as the
different structures, in which one is acting, are adequate and not questioned. It is
only when all of this fails, that the negligible role of the individual becomes clear.
This is exactly what we see happening on the topic of privacy issues on SNS.
Interactions on SNS – as well as on any other technology aiming at social inter-
action – are a simulation of real life conduct.57 Whereas in an offline setting a more
or less clear definition of the situation in space and time can exist, an online setting
does not guarantee this: who is watching our behaviour (space) and what happens
with our information (time)? It seems that information is developing a story of
its own, without being in control of the individual. To put it otherwise, information
is becoming networked and very fluid, beyond the individual.
In the previous section we have elaborated our view on how information is always
networked and how the role of the individual within this process is over-emphasized.
In this section we want to build further on this insight to clarify our third claim on
the unawareness of individuals of their identity formation on SNS.
55
The Symbolic Interactionist School highlights the reciprocal relationship between the individual
and the group it is embedded in. Moreover, it studies the way society is created through interaction.
56
John Hewitt, Self and society, 40–44.
57
Sherry Turkle, “Alone together: why we expect more from technology and less from each other”,
(New York: Basic Books, 2011).
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 255
MacKenzie and Wajcman58 claim that technologies are always socially shaped
and ‘involve economic decisions made by complex social institutions operating over
long periods.’ To illustrate this claim they have compared the evolution of the gas
refrigerator with his electric rival. Eventually, the latter prevailed and is now consid-
ered as a given. On first sight we would think that the electric refrigerator was tech-
nologically better designed. However, this does not seem to be the case. Mackenzie
and Wajcman59 claim that ‘we have compression, rather than absorption, refrigera-
tors in the United States today not because one was technically better than the other,
and not because consumers preferred one machine (in the abstract) over the other,
but because General Electric, General Motors, Kelvinator and Westinghouse were
very large, very powerful, very aggressive, and very resourceful companies, while
Servel and SORCO were not.’ Today, it seems that nobody questions the existence
of the electric refrigerator and the annoying humming it makes – which the gas
refrigerator did not have, because it did not require a motor. Mackenzie and
Wajcman60 rightly indicate the negligible role the consumer played within this process:
‘Consumer ‘preference’ can only be expressed for whatever it is, in fact, available
for purchase, and is always tempered by the price and convenience of the goods that
are so available.’ Without being economically deterministic we are also concerned
about the ‘gap of influence’ between the consumer and the producer of goods. What
we want to highlight here is the unconsciousness to which this process contributes:
Without knowing that the refrigerator could have existed without its ‘hum’, can we
question it? Without knowing that SNS providers collect PII and the interrelation
between identity and privacy on SNS, can we question it?
Berger and Luckman stated that sociology should become ‘an inquiry into the
ways in which everyday ideas about reality are created and maintained.’61 Hence,
they focused on the everyday construction of social reality. Berger62 described a
three way process on how the social reality comes to existence.
Externalization (1) is the on-going outpouring of human being into the world, both in the
physical and the mental activity of men. Objectivation (2) is the attainment by the products
of this activity (…) of a reality that confronts its original producers as a facticity external to
and other than themselves. Internalisation (3) is the reappropriation by men of this same
reality, transforming it once again from structures of the objective world into structures of
the subjective consciousness. It is through externalization that society is a human product.
It is through objectivation that society becomes a reality sui generis. It is through internal-
ization that man is a product of society.
58
Donald MacKenzie and Judy Wajcman, The social shaping of technology: how the refrigerator
got its hum (Open University Press, 1985): 1.
59
Donald MacKenzie and Judy Wajcman, The social shaping of technology, 9.
60
Donald MacKenzie and Judy Wajcman, The social shaping of technology, 10.
61
Steven Seidman, Contested Knowledge: social theory today 3th edition (UK: Blackwell
Publishing, 2004): 81.
62
Peter Berger, The Sacred Canopy: Elements of a Sociological theory of Religion (New York:
Anchor, 1967): 4.
256 R. De Wolf et al.
We believe that this process describes well how social reality is constructed,
taking into account both agency and structure elements. The social construction of
technology (SCOT) describes a similar phasing, applied in the domain of technolo-
gies. SCOT, can be seen as part of the theoretical framework of social shaping of
technology (SST).63 In a first stage Pinch and Bijker64 describe ‘how technological
artefacts are culturally constructed and interpreted.’ With this they try to clarify
that there is not just one way of constructing technology and that meaning is poured
into technology. In the second phase of ‘closure’ we observe a stabilization of tech-
nology and a disappearance of possible problems, where it is more important that
the problem is not regarded as a problem, than a solution being found. In a last stage
they refer to the wider context in which ‘the sociocultural and political situation of
a social group shapes its norms and values, which in turn influence the meaning
given to an artefact (Table 11.2).’65
What we find particularly interesting about the dialectic process of society shaping
described by Berger66 is how the relationship between objectivation and internaliza-
tion is blurred and the ‘socially produced institutional world is internalized by the
individual, as an objective, natural order.’67 According to our results (3.1 and 3.2)
the identity formation on SNS is not questioned or reflected upon enough. Most of
the time people ‘just do’ and do not ask ‘why’ they are engaged in certain activities.
People seem to be unaware of their identity processes online. This does not, howver,
have to be solely excluded as a negative. We could state that this ‘undergoing of
structures’ makes societal life easy and enjoyable. However, a certain amount of
self-alienation68 is necessary. Otherwise, we reduce ourselves to herd behaviour.
Berger and Luckman call this process of herd behaviour ‘reification’ and it occurs
‘when the institutional order is assumed to have taken on a life of its own indepen-
dently of human intentions and needs.’69 This is a concept that is missing within the
63
Robin Williams and David Edge, “the shaping of technology”, Research policy 25 (1996): 865–899.
64
Trevor Pinch and Wiebe Bijker, “The social construction of facts and artifacts: or how the sociology
of science and the sociology of technology might benefit each other” in the social construction of
technology systems, ed. W.E. Bijker, T. P. Hughes & T.J. Pinch. (1987): 40–48.
65
Trevor Pinch and Wiebe Bijker, “The social construction of facts”, 48.
66
Peter Berger, The Sacred Canopy, 4.
67
Steven Seidman, Contested Knowledge, 83.
68
We define self-alienation as the process in which the individual looks at his own behaviour from
a third person point of view. We do not denote this concept as solely negative nor positive. However
a certain degree of self-alienation seems desirable.
69
Steven Seidman, Contested Knowledge, 83.
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 257
framework of Pinch and Bijker. But the concept of self-alienation can be easily
applied to the domain of SCOT.
In this section we would also like to denote the relation between alienation and
empowerment, which is often overlooked. Empowerment is defined as something
‘enabling people to control their own lives and to take advantage of opportunities.’70
The use of the notion of ‘empowerment’ is a long-standing tradition especially in the
social welfare and radical education literature. When applying it in the analysis of the
implications of communication technology, however, it is crucial to take into account
Mansell’s71 critique on the discourse surrounding new media innovations that sim-
ply presumes users or citizens can reap the benefits of these innovations from the
moment they are implemented. ‘There is, therefore, a growing need to examine
whether the deployment of new media is consistent with ensuring that the majority of
citizens acquire the necessary capabilities for interpreting and acting upon a social
world that is intensively mediated by the new media.’72 We should, however, also ask
ourselves if empowering the user is always desirable. Empowering users of some-
thing they are not aware of automatically requires a certain degree of self-alienation,
which could lead to depriving the user from expressing their identity online.
Identity, privacy and capitalism are connected but the strength of the tie between
the different concepts depends on the way the user is being approached as a research
object.
If the user is described as a research object that tries to use SNS as a means of
forming an identity, than researchers are looking at the positive aspects of this pro-
cess.73 Castells uses social media as a clear example to show how users are empow-
ered to communicate more easily with a larger audience. He calls this mass
self-communication.74 Although Castells recognized that the companies who own
social media were curtailing these abilities, he still sees the user as a creative agent
with unprecedented autonomy and new capabilities. As long as users are seen as
actors, privacy issues are put forward as consequences of user behaviour.
70
Laurent van der Maesen and Alan Walker, “Social quality: the theoretical state of affair”,
European Foundation of Social Quality (2002).
71
Robin Mansell, “From digital divides to digital entitlements in knowledge societies”, Current
sociology 50 (2002): 407–426.
72
Robin Mansell, “From digital divides”, 409.
73
Danah Boyd, “Why youth (heart) social network sites: the role of networked publics in teenage
social life”, MacArthur Foundation Series on digital learning – youth, identity, and digital media
26 (2007).
74
Manuel Castells, “communication power and couter-power in the network society”, International
Journal of Communication 1 (2007): 238–266.
258 R. De Wolf et al.
75
Daniel Weitzner, “Information accountability”, Communication of the ACM 51 (2008): 82–87.
76
Christian Fuchs, “New Media, Web 2.0 and Surveillance”, Sociology Compass 5 (2011): 134–147.
77
Nigel Thrift, Knowing capitalism, (New Delhi: Sage Publications, 2005).
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 259
In contemporary SNS these two logics of privacy are intertwined into what has
been called social advertising. This can be defined as a particular form of targeted
advertising wherein the advertised product is endorsed by a user to another targeted
user. The endorsing aspect is achieved through UGC because the advertisement
itself is shown as a story, which is sometimes indiscernible from other UGC. This
intertwinement of UGC and targeted advertising is not new. In fact we can find three
different ways in which this intertwinement generates value for social media com-
panies. Cohen,78 Coté and Pybus79 have already pointed out that the UGC provided
on social media works as glue, which motivates users to stay logged in and inter-
ested in a particular social media platform. This factor of returning and staying on a
platform is called ‘stickiness’. This stickiness is a means to create more eyeballs,
which can be translated into direct economic value.80 Secondly, UGC is also used as
PII to profile users into segments of users who are more apt to be interested in the
advertised product or service, which makes them sellable as a distinct audience.
We have found a third and new way of commodifying these subjectivities. Social
advertising uses the interpersonal relationships between users as an extra meaning.
This meaning is incorporated in the message. This form of advertising consists out of
the following steps. (1) A user starts following a brand of product on Facebook by
liking it. (2) Facebook publishes this story as a normal event. (3) If a company pays
for this story to be shown more, it can be shown as a sponsored story to a specifically
targeted audience. It is important to note that the audience must have a relationship
with someone who has recently engaged the advertised brand (Fig. 11.1).
78
Nicole Cohen, “the valorization of surveillance: Towards a political economy of Facebook”,
Democratic Communiqué 22 (2008): 5–22.
79
Mark Coté and Jennifer Pybus, “Learning to immaterial labour 2.0: MySpace and social
networks”, Ephemera: Theory & Politics in Organization 7 (2007): 88–106.
80
Nicole Cohen, “the valorization of surveillance.”
260 R. De Wolf et al.
Identity, privacy and capitalism are thus connected. This connection is not
questioned in the work of Coté and Pybus who pointed out the two-sided aspect of
UGC and PII wherein UGC was created to form an identity and PII to create value
for a company: ‘every time the user submits a search topic, it accretes – like surplus
labour – in the Google database and in turn micro targets an advertisement tailored
not only to that particular user but to that specific search.’81 We question this
entwinement because the motivation of the initial announcement differs from the
consequent generated announcement. In the first case, someone “likes” something
as a social announcement, but in the third case, someone is shown as being part of
an ad. Is this incorporation of UGC in advertising acceptable for users? Do they see
a difference between the two announcements in terms of identity, privacy or even as
being a part of a capitalist system?
The first identity claim of ‘online and offline community being intertwined but not
the same’ teaches us that we can use the offline environment in tackling the privacy
issues online: what can we learn of offline communities in enhancing privacy on
SNS? We should, however, take into account that ‘identity’ and ‘community’ differ
online and offline. To simply copy-paste offline regulations (e.g. partial identities,
circles, smart lists) is denying the uniqueness of SNS. The second and third identity
claim teaches us that a focusing soleley on the individual is not enough. We need to
focus on the collective and move beyond the individual in preserving privacy on
SNS. The third identity claim teaches us that we have to measure the awareness and
behaviours of individuals and delineate the degree of self-alienation that is desirable.
The fourth and final identity claim teaches us that we have a clear interconnection
between privacy, identity and capitalism. Any privacy enhancing technology that is
being developed should take this claim into account. Otherwise, technologies are
being created in thin air. Moreover, a technology should consider a trade-off inher-
ent in the design, in which self-deprivation seems necessary.
In this section we will set the seven laws of identity of Cameron (Sect. 11.2.2).
against the four identity claims (Sect. 11.4).
The first law of identity states that ‘identity systems must only reveal information
identifying a user with the user’s consent’. At first sight this seems like something
81
Mark Coté and Jennifer Pybus, “Learning to immaterial labour 2.0.”
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 261
The fourth law of identity states that ‘a universal metasystem must support
both “omnidirectional” identifiers for use by public entities and “unidirectional”
identifiers for use by private entities.’ Again this notion presumes that people can
always differentiate between groups of people (see critique third identity law).
Moreover this seems difficult when information is networked. In conclusion, this
fourth identity law is difficult to obtain when confronted with unawareness and
information that is being networked with others.
The fifth identity law states that ‘a universal identity solution must utilize and
enable the interoperation of multiple identity technologies run by multiple identity
providers.’ Multiple identity providers also include the users themselves. We com-
pletely agree with this fifth identity law. However, as the second claim of identity
states, information on the internet is and always will be networked. We think that it
is important that identity technologies are run by multiple identity providers. But we
find the controlling of PII by the user even more important. The idea of distributed
SNS (compatibel with the idea that users control their PII) instead of commercial
SNS is appealing. We ask ourselves, however, if it is a good thing that PII is distrib-
uted to dozens of servers? Does this make the control of PII easier? Furthermore,
does every user want this kind of control?
The sixth identity law states ‘that the identity metasystem must define the human
user to be a component of the distributed system, integrated through unambiguous
man machine communication mechanisms offering protection against identity
attack.’ We have two side remarks on this sixth identity law. Firstly, certain technolo-
gies like SNS can no longer be seen as a just a ‘tool’ that is used, but as an extension
of the human user. It seems as though this technology is completely internalised
and perceived as a given in contemporary society. This latter fact of internalisation
is often overseen by the unaware user: Does the individual question her interrelation
with the technology that she is using? Does the individual ask if her identity forma-
tion is different because of the opportunities that SNS have to offer? This is not
always the case. According to the third identity claim finding the right amount of
self alientation seems necessary for people to make them aware of their identity
formation and privacy gaps on SNS. However we should not over-exaggerate this.
Otherwise this could lead to depriving the user of expressing her identity online, or
even worse, create a moral panic. Secondly, it is important to make a distinction
between the individual as an individual user of technology or to approach the indi-
vidual as a social being in interaction with others and the community one lives in.
We prefer the latter. With this we like to emphasis the need for social requirements
beyond the classical individual person perspective, as the second claim describes.
The seventh and last identity claim states ‘the identity metasystem must guaran-
tee its users a simple, consistent experience while enabling separation of context
through multiple operators and technologies.’ A simple and consistent experience
is exactly the opposite of what we experience on SNS. We do not have simple and
clearly defined contexts on these platforms. Moreover, we need to give the user
freedom to fill these contexts with meaning. Hence, defining a simple and consistent
experience, like what the users is used to in the offline world, is denying the uniqueness
and agency of the user. Instead we should focus beyond the offline metaphors on
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 263
behaviour.82 As stated in the first claim, the offline and online world are intercon-
nected, but not the same.
82
We want to make clear that in an online world there are different laws and regulations on how to
act. To simply copy-paste offline regulations, as in presenting clearly defined barriers (e.g. partial
identities, circles, smartlists) is denying the uniqueness of SNS.
264 R. De Wolf et al.
References
Bauman, Zygmunt. 2008. Identity in the globalizing world. In Identity in question, ed. Elliot
Anthony and Paul du Gay. London: Sage publications.
Berger, Peter. 1967. The sacred canopy: Elements of a sociological theory of religion. New York:
Anchor.
Berger, Thomas, Maren Hartmann, Yves Punic, and Katie Ward. 2005. Domestication of media
and technology, 255. Berkshire: Open University Press.
Boyd, Danah. 2006. Friends, friendster, and myspace top 8: Writing community into being on
social network sites. First Monday 11. http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/
fm/article/view/1418/1336. Accessed 30 Nov 2012.
Boyd, Danah. 2007. Why youth (heart) social network sites: the role of networked publics in
teenage social life. In MacArthur Foundation Series on digital learning – youth, identity, and
digital media, ed. David Buckingham, 1–26. Cambridge, MA: MIT Press.
Boyd, Danah. 2008.Taken out of context: American teen sociality in networked publics. Ph.D.
dissertation, University of California, San Diego.
Boyd, Danah. 2011 Networked privacy. http://www.danah.org/papers/talks/2011/PDF2011.html.
Accessed 6 June 2011.
Boyd, Danah and Hargittai Eszter. 2010.Facebook privacy settings: Who cares? First Monday 15.
http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/viewArticle/3086/2589.
Accessed 30 Nov 2011.
Boyd, Danah, and Nicole Ellison. 2007. Social network sites: Definition, history, and scholarship.
Journal Computer-Mediated Communication 13: 210–230.
Calhoun, Craig. 1998. Community without propinquity revisited: Communications technology
and the transformation of the urban public sphere. Sociological Inquiry 68: 373–397.
Cameron, Kim Blog. 2011. The laws of identity. Retrieved 17 Nov 2011, from: http://www.identi-
tyblog.com/stories/2004/12/09/thelaws.html.
Castells, Manuel. 2007. Communication power and couter-power in the network society.
International Journal of Communication 1: 238–266.
Castells, Manuel. 2009. Communication power. Oxford: Oxford University Press.
Cavoukian, Ann. 2009. Privacy by design: Take the challenge. Toronto: Information and Privacy
Commissioner of Ontario.
Cliff, Lampe, Ellison, Nicole and Steinfield Charles. 2006. A face(book) in the crowd. Paper
presented at the 2006 20th anniversary conference on computer supported cooperative work
– CSCW, Banff.
Cohen, Nicole. 2008. The valorization of surveillance: Towards a political economy of facebook.
Democratic Communiqué 22: 5–22.
Coté, Mark, and Jennifer Pybus. 2007. Learning to immaterial labour 2.0: MySpace and social
networks. Ephemera: Theory and Politics in Organization 7: 88–106.
De Wolf, Ralf, and Pierson Jo. 2012. Symbolic interactionist perspective on linking privacy and
identity on social network sites. Congres paper for ICA, Phoenix (work in progress).
Delanty, Gerard. 2003. Community. London/New York: Routledge.
Deuze, Mark. 2011. Media life. Media, Culture and Society 33: 137–48.
Digimeter. 2008. Digimeter. http://digimeter.be. Accessed 19 July 2008.
Gürses, Seda, Carmela, Troncoso, and Claudia Diaz. 2011. Engineering privacy by design. Paper
presented at the annual CPDP conference, Brussels, 29–30 Jan 2011.
Hewitt, John. 2007. Self and society: A symbolic interactionist social psychology, 10th ed. Boston:
Allyn and Bacon.
Mackay, Hughie, and Gareth Gillespie. 1992. Extending the social shaping of technology apprach:
Ideology and appropriation. Social Studies of Science 22: 685–716.
MacKenzie, Donald, and Judy Wajcman. 1985. The social shaping of technology: How the refrig-
erator got its hum. Philadelphia: Open University Press.
11 Privacy by Design Through a Social Requirements Analysis of Social Network… 265
Mansell, Robin. 2002. From digital divides to digital entitlements in knowledge societies. Current
Sociology 50: 407–426.
Miller, Daniel, and Don Slater. 2000. The internet: An ethnographic approach. London: Berg.
Olzak, Tom. 2006. Unified identity management. http://www.infosecwriters.com/text_resources/
pdf/Unified_Identity_Management_TOlzak.pdf. Accessed 6 Nov 2012.
Oudshoorn, Nelly, and Trevor Pinch. 2003. How user matter: The co-construction of users and
technologies. London: London University Press.
Parks, Malcom. 2011. Social network sites as virtual communities. In A networked self: Identity,
community and culture on social network sites, ed. Zizi Paparachissi. New York/London:
Routledge.
Pew. Pew internet and American life project. http://www.pewinternet.org/Reports/2011/
Technology-and-social-networks/Summary.aspx.
PewInternet and American Life Project. Why americans use social media. Last modified on 15 Nov
2011. http://pewinternet.org/Reports/2011/Why-Americans-Use-Social-Media/Main-report.aspx.
Pinch, Trevor, and Bijker Wiebe. 1987. The social construction of facts and artifacts: or how the
sociology of science and the sociology of technology might benefit each other. In The social
construction of technology systems, ed. W.E. Bijker, T. P. Hughes, and T. J. Pinch, 40–48.
Cambridge, Massachusetss: The MIT Press.
Raynes-Goldie, Kate. 2010. Aliases, creeping, and wall cleaning: Undertanding privacy in the age
of facebook. First Monday 15. http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/arti-
cle/viewArticle/2775/2432. Accessed 30 Nov 2011.
Rheingold, Howard. 2000. The virtual community: Homesteading on the electric frontier.
Cambridge, MA: MIT Press.
Rosen, Jeffrey. 2001. Out of context: The purposes of privacy. Social Research 68: 209–222.
Seidman, Steven. 2004. Contested knowledge: Social theory today, 3rd ed. Malden: Blackwell
Publishing.
Silverstone, Roger, and Leslie Haddon. 1996. Design and domestication of infomration and com-
munication technologies: Technical change and everyday life. In Communication by design:
The politics of information and communication technologies, ed. Robin Mansell and Roger
Silverstone, 44–47. Oxford: Oxford University Press.
Smit, Wim, and Ellen Van Oost. 1999. De Wederzijds beïnvloeding van technologie en maatschappij –
een technology assessment-benadering. Bussum: Uitgeverij Coutinho.
Solove, Daniel. 2001. Privacy and power: Computer databases and metaphors for information
privacy. Stanford Law Review 53: 1393.
Thrift, Nigel. 2005. Knowing capitalism. New Delhi: Sage Publications.
Turkle, Sherry. 2011. Alone together: Why we expect more from technology and less from each
other. New York: Basic Books.
Van De Broeck, Wendy. 2011. From analogue to digital: The silent (r)evolution? A qualitative
study on the domestication of interactive digital television in flanders. Ph.D. dissertation, Free
University of Brussels, Brussels.
Van der Maesen Laurent, and Walker Alan. 2002. Social quality: The theoretical state of affair.
European Foundation of Social Quality.
Vermeir, Lotte, Van Lier, Tim, Pierson, Jo, and Lievens, Bram. 2008. Making the online comple-
mentary to the offline: Social requirements to foster the ‘sens of community’. Paper presented
at IAMCR conference, Stockholm.
Weitzner, Daniel. 2008. Information accountability. Communication of the ACM 51: 82–87.
Williams, Robin, and David Edge. 1996. The shaping of technology. Research Policy 25: 865–899.
Zhao, Shanyang, Sherri Grasmuck, and Jason Martin. 2008. Identity construction on facebook:
Digital empowerment in achored relationships. Computers in Human behaviour 24: 1816–1836.