There was a front page article in the New York Times titled “How Privacy Vanishes Online, a Bit at a Time”. The story covers some of the risks that are being created as people are increasingly sharing information about themselves online. I have done some research with Cathy Ridings at Lehigh University studying Facebook profiles, with particular focus on the information that people choose to reveal about themselves. Our analysis showed that there is an extremely wide range of information that students choose to reveal about themselves. Some are quite reserved, even to the point of not providing readily identifiable pictures of themselves. Others provide cell phone numbers, physical addresses, and a variety of extremely personal information.
I believe that some students make conscious choices to reveal more of themselves because they have learned the value of social capital and believe that “you have to give to get”. There was a general trend that students that had previously established social networks in high school, understood the value of social capital and were more likely to participate at college early.
There is real risk that they are exposing quite a bit more information than they are aware of. There has been quite a bit of negative discussion around Facebook’s privacy settings, particularly in that they tend to be open by default, but it isn’t clear to me that Facebook policy is at the root. The range of voluntary disclosure we found seemed unrelated to settings and more driven by personal choices.
The issue that more people need to be aware of is just how the combination of relatively benign information can be used to deduce much more sensitive information. I vaguely remember reading that if a “hacker” has both your birthdate and hometown, that they can figure out your social security # more than 50% of the time. An MIT study referenced in the Times article found that people were able to predict with 78% accuracy which students were gay males, purely based on Facebook data.
The story highlights another serious issue, which is the whole concept of personally identifiable information. An associate director of privacy for the FTC is quoted as saying “Technology has rendered the conventional definition of personally identifiable information obsolete”. Information such as SS#, mother’s maiden name, favorite pet’s name, and so on used to be reliable as a verification of identity. I have to believe that the correlation power of today’s networked computers being applied to more than a decades worth of periodically revealed little pieces of information has rendered the concept suspect at best. Being as many, many systems use this type of information in order to release passwords, we have a potentially serious problem on our hands.