2230371 Facebook Threats to Privacy | Internet Privacy | Facebook

Facebook: Threats to Privacy

Harvey Jones, Jos´ Hiram Soltren e December 14, 2005

Abstract End-users share a wide variety of information on Facebook, but a discussion of the privacy implications of doing so has yet to emerge. We examined how Facebook affects privacy, and found serious flaws in the system. Privacy on Facebook is undermined by three principal factors: users disclose too much, Facebook does not take adequate steps to protect user privacy, and third parties are actively seeking out end-user information using Facebook. We based our enduser findings on a survey of MIT students and statistical analysis of Facebook data from MIT, Harvard, NYU, and the University of Oklahoma. We analyzed the Facebook system in terms of Fair Information Practices as recommended by the Federal Trade Commission. In light of the information available and the system that protects it, we used a threat model to analyze specific privacy risks. Specifically, university administrators are using Facebook for disciplinary purposes, firms are using it for marketing purposes, and intruders are exploiting security holes. For each threat, we analyze the efficacy of the current protection, and where solutions are inadequate, we make recommendations on how to address the issue.

1

Contents
1 Introduction 2 Background 2.1 2.2 Social Networking and Facebook . . . . . . . . . . . . . . . . . . . . . . . . . . . . Information that Facebook stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5
5
5
6
7
7
9
9
9

3 Previous Work 4 Principles and Methods of Research 4.1 4.2 4.3 4.4 4.5 4.6 Usage patterns of interest. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Direct data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Obscuring personal data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A brief technical description of Facebook from a user perspective . . . . . . . . . . . 10
Statistical significance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
13

5 End-Users’ Interaction with Facebook 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9

Major trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Facebook is ubiquitous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Users put time and effort into profiles . . . . . . . . . . . . . . . . . . . . . . . . . 15
Students join Facebook before arriving on campus . . . . . . . . . . . . . . . . . . . 15
A substantial proportion of students share identifiable information . . . . . . . . . . 16
The most active users disclose the most . . . . . . . . . . . . . . . . . . . . . . . . 16
Undergraduates share the most, and classes keep sharing more . . . . . . . . . . . . 18
Differences among universities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Even more students share commercially valuable information . . . . . . . . . . . . . 20

5.10 Users are not guarded about who sees their information . . . . . . . . . . . . . . . . 20
5.11 Users Are Not Fully Informed About Privacy . . . . . . . . . . . . . . . . . . . . . . 20
5.12 As Facebook Expands, More Risks Are Presented . . . . . . . . . . . . . . . . . . . 21
5.13 Women self-censor their data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.14 Men talk less about themselves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.15 General Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
6 Facebook and “Fair Information Practices” 6.1 6.2 6.3 22

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2

6.4 6.5 6.6

Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Redress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
25

7 Threat Model 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9

Security Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Commercial Datamining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Database Reverse-Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Password Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Incomplete Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
University Surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Disclosure to Advertisers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Lack of User Control of Information . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Summary and Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
34

8 Conclusion 8.1 8.2 8.3

Postscript: What the Facebook does right . . . . . . . . . . . . . . . . . . . . . . . 34
Final Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
College Newspaper Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
38

9 Acknowledgements 9.1

Interview subjects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
39
41
45

A Facebook Privacy Policy B Facebook Terms Of Service C Facebook “Spider” Code: Acquisition and Processing

C.1 Data Downloading BASH Shell Script . . . . . . . . . . . . . . . . . . . . . . . . . 46
C.2 Facebook Profile to Tab Separated Variable Python Script . . . . . . . . . . . . . . 46
C.3 Data Analysis Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
D Supplemental Data E Selected Survey Comments 56
73

E.1 User Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
F Paper Survey 75

3

as opposed to “the Facebook”. is how the site’s literature refers to itself. Our analysis found that Facebook was firmly entrenched in college students’ lives. with over 8 million users spanning 2. there are still significant shortcomings. Our goal was to first analyze the extent of disclosure of data. Users may submit their data without being aware that it may be shared with advertisers. We surveyed news articles on the consequences of Facebook information disclosure. Although many Facebook features empower users to control their private information. Intruders may steal passwords. both to give the user a reasonable perception of the level of privacy protection available. Finally. New York University (NYU). as well as the standards set by competing sites. we took the perspective of a third party acting in a self-interested manner. and of the terms of use and compared them against the current standards of “Fair Information Practices” as defined by the Federal Trade Commission. For each threat. We also found that Facebook’s privacy measures are not utilized by the majority of college students. 4 . and the University of Oklahoma. To analyze the extent of user disclosure.1 Introduction Facebook1 (www. and to protect against disclosure to intruders. or entire databases. We discovered questionable information practices with Facebook. from Facebook. then to analyze the steps that the system took to protect that data. Using this tool. as well as students who were punished for disclosing too much. there are bound to be risks to privacy. We adopt that terminology throughout the paper. Third parties may build a database of Facebook data to sell. Finally. attempting to download every single profile at a given school. we indexed the entire Facebook accessible to a typical user at Massachusetts Institute of Technology (MIT). we constructed a spider that “crawls” and indexes Facebook.000 college campuses. we constructed a threat model that attempted to address all possible categories of privacy failures. and that these users share significant amounts of personal information. University ad­ ministrators or police officers may search the site for evidence of students breaking their school’s regulations. To supplement this data. we surveyed the MIT student body to ascertain the level of use of certain Facebook features. Harvard. Our study found that upwards of 80% of matriculating freshmen join Facebook before even arriving for Orientation.facebook. there are a number of changes that can be made. From a systems perspective. its 1 “Facebook”. and interviewed students that harvested data. We undertook several steps to investigate these privacy risks. but users had not restricted who had access to this portion of their life. we conducted a “threat model” analysis to investigate ways in which these factors could produce unwanted disclosure of private data. [4] With this much detailed information arranged uniformly and aggregated into one place. and found that third parties were actively seeking out information. we make recommendations for Facebook. Given the existing threats to security.com) is one of the foremost social networking websites. looking either for financial gain or for assistance in the enforcement of university policy. To analyze the Facebook system we investigated the facets of the website.

Users need an @college. and user status (one of: Alumnus/Alumna.2 Information that Facebook stores All data fields on Facebook may be left blank. Facebook sells targeted advertising to users of its site. messages. and their privileges on the site are largely limited to browsing the profiles of students of that college. [4] Facebook was founded in 2004 by Mark Zuckerburg.edu email address to sign up for a particular college’s account. and Summer Student). “Northern California”). contact information. we will investigate profiles. For the purposes of this paper. account settings. 2 2. events. Grad Student. Facebook received $13 million dollars in venture funding.000 individual colleges. using SSL for login. extending “My Privacy” to cover photos. A minimal Facebook profile will only tell a user’s name. and to browse for entertainment. The site is often used to obtain contact information. Profile information is divided into six basic categories: Basic. Any information posted beyond these basic fields is posted by the will of the end user. Courses. Over the last two years. photos. Users can also specify what courses they are taking and join a variety of “groups” of people with similar interests (“Red Sox Nation”. Faculty. the total amount of information a user can post is quite large. Student. and a descriptive pho­ 5 . and e-mail address. friends. They list their “friends”. The site is unique among social networking sites in that it is focused around universities – “Facebook” is actually a collection of sites. each focused on one of 2.1 Background Social Networking and Facebook Users share a variety of information about themselves on their Facebook profiles. Staff. and tastes in movies and books. including photos. Users can enter information about their home towns. personal interests. aside from name. In May 2005. These include eliminating the consecutive profile IDs. [14] 2. User-configurable setting on Facebook can be divided into eight basic categories: profile. groups. and parters with firms such as Apple and JetBlue to assist in marketing their products to college students. friends. status. e-mail First-party information address. school. date of joining. and college administrators. Personal. and educating end-users about privacy concerns. including friends at other schools.users. their current residences and other contact information. and Picture. Facebook has become fixture at campuses nationwide. and Facebook evolved from a hobby to a full-time job for Zuckerburg and his friends. and privacy settings. then a Harvard undergraduate. Profes­ sional. Although the required amount of information for a Facebook account is minimal. Contact Info. job information. All six of these categories allow a user to post personally identifiable information to the service. and privacy settings. to match names to faces.

and where in the photograph they are located.tograph. the privacy settings page allows users to block specific people from seeing their profile. The “My Photos” service allows users to upload. “Contact Info” “Personal Info”. a user can request Facebook to not share information with third parties. from each photograph. use the available message boards. These tags can be cross-linked to user profiles. who can see their contact info. The privacy settings page allows a user to specify who can see them in searches. or for “facebook AND journal AND arti­ 6 . the Social Science Research Network. “My Groups”. Users define each other as friends through the service. Users may disable others’ access to their Wall. In addition. 3 Previous Work No previous academic work specific to Facebook was found on the Lexis databases. The “Wall” allows other users a bulletin board of sorts on a user’s profile page. Users can append metadata to the photographs that allows other users to see who is in the photographs. Google’s database for scholarly papers. though the method of specifying this is not located on the privacy settings page. birthday wishes. is to manually remove the metadata tag of their name. but not to the Photos feature. “Basic Info”. As per the usage agreement. By default. there is a link added from my profile to that photograph My Groups Users can form groups with other like-minded users to show support for a cause. A major goal of Facebook is to allow users to interact with each other online. The only recourse a user has against an unwelcome Facebook photo posted by someone else. Table 1: Facebook Features Third-party information Two current features of Facebook have to do with third parties associ­ ating information with a user’s profile. If a friend lists me as being in a photograph. My Profile The Wall My Photos Contains “Account Info”. and look for trends. who can see their profile. individually. creating a visible connection. Other users can leave notes. store and view photos. or find people with similar interests. “My Privacy” Facebook’s privacy features give users a good deal of flexibility in who is allowed to see their information. aside from asking them to remove it. and which fields other users can see. and personal messages. and a list of friends Allows other users to post notes in a space on one’s profile Allows users to upload photographs and label who is in each one. all other users at a user’s school are allowed to see any information a user posts to the service. We will investigate the amount and kind of information a typical user at a given school is able to see. and searched from a search dialog.

We investigated when users create their accounts.1 Usage patterns of interest. the Federal Trade Commission has done research into the area of online privacy practices. we harvested data from the Facebook site directly. including the 1998 report to Congress entitled “Privacy Online. there are many news articles that have been published about the emergence of Facebook..” [6] Previous work in social networking has included a thorough investigation of “Club Nexus”.. we conducted a survey of MIT students on the use of Facebook’s features. a site similar to Facebook located at Stanford University[1]. we closely investigated the usage patterns of Facebook. First. 4 Principles and Methods of Research In order to investigate the ways in which Facebook is used. and which kinds of users create accounts.Visibility to Search? Profile Visibility Everyone Restricted Everyone at school Friends of friends at school Just friends Contact Info Visibility Everyone at school Friends of friends at school Just friends Profile also shows. and has published several reports on the matter. its incorporation and subsequent venture funding. My friends My last login My upcoming events My courses My wall Groups that a lot of my friends are in Table 2: “My Privacy” settings (defaults in bold) cle” and numerous other terms in a general web query. the consequences of third parties discovering infor­ mation that users have made public[14][20][21]. Second. In related fields. We employ two methods of data collection to learn more about the way users interact with Facebook. and recently. Our main objective in gathering and analyzing Facebook user data was to make statements and generalizations regarding the way users use their Facebook accounts. 4. Though the friending service is of 7 . Although no journal articles exist.

and formation of URL used to retrieve this page. Figure 1: A sample Facebook page. 8 . accessible fields. Image removed due to copyright restrictions.A Sample Facebook Page. Note the layout.

High School. nearly exhaustive and statistically significant data set. multiple choice questions which would serve to reveal usage patterns.3 Direct data collection Our collection of data directly from Facebook served two principles. and status.30J/11. Simmons Hall. AOL Screenname. 4. The collection of data was not entirely trivial. Burton-Conner. we asked all survey takers to notify others of the survey. the collection of data from Facebook will provide us with a large.002J. and replaced by “OBSCURED”2 . 4.2 User surveys Our direct user data collection procedure employed both paper surveys and Web based forms to ask individual users questions concerning their Facebook practices. When we considered sets of more than one record. but we were able to produce the scripts necessary to do so within 48 hours. we aggregated it into a spreadsheet. We set up a table in the MIT Student Center. and take approximately three minutes to complete. and Random Hall dormitories to complete the surveys. we aimed for a minimum number of straightforward. 4. We designed the survey such that it would fit on one printed page. we obscured data we deemed to be personally identifiable – Name. offering students a chocolate-based incentive for completing surveys. from which we can draw valuable conclusions on usage trends. Via e-mail. we gathered data through four routes. as well as their familiarity with Facebook’s practices. their date of joining Facebook and utilization thereof. These fields were unchanged if left blank by the user. Also.great interest to social network research. 2 Before we developed the software to obscure the data. MIT course 17. In designing our survey. It also asked about their knowledge of Facebook’s Terms of Service. It served as a proof of concept. for the purposes of our paper. The questions asked about the subject’s gender. we asked the residents of the East Campus. Finally. and Dormitory. and opinions on the quality of the service. to complete the survey. Privacy Policy. familiarity with various aspects of the service. we did do enough analysis to discover that 48 Facebook users at the schools we studied have the phone number 867-5309 9 . residence. we primarily investigated the number of friends users have on the service as an indicator of use. and privacy features. and look for trends.4 Obscuring personal data Before analyzing data. We asked classmates in Public Policy. The complete text of our survey is included as an appendix. In order to diversify the survey results. to demonstrate that it is possible for an individual to automatically gather large amounts of data from Facebook. Phone Number.

Once logged in to the service. a user is free to interact with Facebook. to a Web browser over the Internet. Some of this information. created at the time of creation of each new account. Scripts and applications at Facebook get.php?id = U SERID (2) Facebook will read the school and user ID. process. During the login process. This sends a special URL to the service: http : //www. and filter information on demand. This information is vulnerable to detection by a third party. This checksum varies from login to login. Content is stored centrally on Facebook servers. and does not provide any personally identifiable information or technical insight. The date of its creation is the date which Facebook was opened to that school. look at others’ profiles. such as the user’s e-mail address. a user can log in to the service. or return the user’s home page if the profile he requested is blocked or does not exist. To log in to Facebook. human-readable URLs. The first user at every school is called “The Creator. filtered for privacy by the user’s request before being delivered. or browse the small amount of information available to the general public. Users begin their Facebook session at the service’s top level site.” This profile’s USERID is the lowest userid at any given school. and explore the service. which the browser stores as a session cookie and generally does not write to a file. Facebook does require a school e-mail address to use their service.4. and give the user either the requested user’s profile page. but other parameters do not. profile URLs are retrieved by requesting a URL of the form: http : //SCHOOL. http://www.com/login. add or change their friends lost or personally identifiable information. which is stored in the form of a cookie.php?email = U SERN AM E@SCHOOL. The majority of features on Facebook are requested via simple.com/.5 A brief technical description of Facebook from a user perspective Facebook uses server-side Hypertext Preprocesser (PHP) scripts and applications to host and format the content available on the service. and deliver it to users in real time.f acebook. The main page of the service is spartan. Facebook’s service creates and gives a user a unique checksum at every login.facebook. users enter their username and password into the appropriate fields on the page. User Ids continue to be assigned sequentially from the first valid number.f acebook. No secure socket layer (SSL) or other encryption is used in logging in tot he service. the service provides the user’s web browser with some information. The user may edit their profile.edu&pass = P ASSW ORD (1) Note that this URL contains a user’s login credentials in clear text. 10 . is written to a file so the user does not have to enter his or her e-mail at the next login. For example. At the main Facebook page.com/prof ile. and click Login.

Users with a school e-mail address @SCHOOL. a new user’s profile and all information are fully visible to all other users at the same school. others have utilized Facebook’s use of predictable.” the first profile at a given school.facebook.20.php?id = U SERID . and ou. “the non-interactive network downloader.f acebook. 5.5. but not visible to anyone at another school. Our approach used the incremental profile identifier to download information in large quantities. and save the profile as a file. Many users do not change their default settings.com.facebook. making their information accessible.com. 4.e. To implement our algorithm. For example. 4.1 Data acquisition We are not the first to download user profiles from Facebook in large numbers. When a user logs out of Facebook or closes their web browser. parsing.” In addition to implementing the above algorithm. i. easy to understand URLs to automatically request information and save user information for further analysis. they must enter at least their password to use the service again.facebook. the session cookies are lost. For the most part.25.facebook. For every profile from USERID-LOW to USERID-HIGH at a given school SCHOOL: Get the profile.15. using URL http : //SCHOOL. Log in to Facebook and save session cookies. This generally means that once a user exits the service. We discuss how we and others have done this in the next section.com/prof ile. within the past day. we made wget pretend to be another web browser 11 (3) . Save this number as USERID-LOW. The algorithm we used to gather this data is very straightforward: 1. This ar­ chitecture allows Facebook to easily move different schools to different servers if necessary. Decrease the USERID until you find the ID of “The Creator. 3. By default. Increase the USERID until you find the ID of a user who joined recently.com all redirect to 204. 2. and analysis relatively easy. Load your home page and note the USERID of the page.edu will go through http://SCHOOL. In the past. nyu.facebook. harvard.com. many of these “servers” redirect to the same machine. mit. Save this number as USERID-HIGH. we used wget. Each separate school has its own Facebook “server” for its content.com/.Facebook’s human-readable URLs and regularly formatted HTML make automated acquisition.

and P is our sample population. our uncertainty increases to 6. [17] Our survey results are good enough to make coarse extrapolations to the MIT community in general. we can be 95% certain that our survey responses fall within 4.000 total undergraduates and graduate students. we can find the statistical significance of our findings using the results of confidence levels and confidence intervals from statistics. Z is a value proportional to the confidence level (1. which we include in the appendix.e. 4. At a confidence level of 99%. expressed as a decimal (with a worst case value of 0.04 ± 0. we use the correction S� = S 1 + S−1 P (5) Where S is our original sample size. We also had wget randomly insert a delay between requests. Reflecting an MIT student population of 4. The sample size of a survey group is related to the confidence value.000 undergraduates and 6. We exhaustively downloaded every profile 12 . There were 224 female respondents and 195 male respondents. and can be sent as part of the login URL as an email and password pair. We ran this script four times: once for Harvard. expressed as a decimal (i. At a confidence level of 95%. p is the percentage picking a choice. and a sample size of 419 applying to an MIT student popula­ tion of 10. with strong concentrations in dorms where we e-mailed the survey. The final application we used to download profiles was a short (five line!) BASH shell script.6 Statistical significance Survey data Over the course of the two weeks we ran the survey. and c is the confidence interval.68%.04). 419 MIT students responded to the questions asked. Collected Facebook data In general. to keep load off of Facebook’s servers and make our requests less difficult to detect.000 graduate students.68% of the true values.96 for a 95% confidence interval). the percentage picking a choice. 0. MIT.17%. and a worst case answer uncertainty of 50%. For small populations.by changing its user agent (to avoid potential suspicion at using wget to log in to Facebook). S � is our new sample size. The users answering our profile questions came from all of campus. The respondents were mostly un­ dergraduates (90%). In other words. We took advantage of the fact that logins and passwords are not encrypted. and the confidence interval by the formula S= Z 2 p(1 − p) c2 (4) Where S is our sample size. the University of Oklahoma (OU). and New York University (NYU). we were able to collect large numbers of user profiles from Facebook using our information collection system.5). we find our confidence interval to be 4.

we created two sub-scores. AIM Screenname. Users put real time and effort into their profiles. and Books). classes. Major. From there. and at other points we will show raw data when we want to indicate a trend. Mo­ bile Phone. We will attempt to statistically correlate certain variables to prove hypotheses. The overall score is the sum of the percent­ age disclosure of (Gender. High School. as well as a sub-score reflecting disclosure of user interests (Interests. and Clubs/Jobs).16% 70. and Books).28% Aggregate Statistics We established a ”disclosure score” to quantitatively rank the amount of PII disclosed by different colleges. 5 5. Music.available at our four subject schools. Students tend to join as soon as possible.71% 66. Privacy concerns differ across genders.1 End-Users’ Interaction with Facebook Major trends After processing the results of our user survey and downloaded Facebook profiles. AIM Screenname.54% 77. as long as we limit our conclusions to generalizations about the population of students with accessible Facebook profiles. In the following pages. Music. Clubs. Facebook is ubiquitous at the schools where it has been estab­ lished. Users give imperfect explicit consent to the distribution and sharing of their information. 13 . NYU Total Number Profiles 10063 25759 28201 32250 97273 Number Downloaded 8021 17704 24695 24695 70311 Percentage 79. we analyze the collected data along numerous lines. Movies. so there is no sampling uncertainty. Our full numerical findings are included in the appendix. The following table summarizes our success in downloading information. Dorm. Clubs/Jobs. and genders. Movies. Mobile Phone. Interests.41% 72. we found some general trends in Facebook usage. often before arriving on campus. Success Rates In Downloading Profiles School MIT Harvard Oklahoma U. and statistically justify our findings. Users share lots of information but do not guard it. one to reflect contact information that could conceivably be used to contact or locate users (Dorm.

and 2009. 1016. respectively.000. the Facebook FAQ warned against creating fake accounts. the number of accounts for the classes of 2007-2009 (3850. Although fake accounts could bloat the number of accounts. while only 39 (9%) did not. 2008. a Paris Hilton account 3 would not need to be constantly updated. the majority of Facebook accounts are updated at least monthly. where potential pranksters are limited to two e-mail addresses[18]. and 921 accounts that provide the class years of 2007. the vast majority of undergraduates have Facebook accounts. the fact that the Facebook user base is quite similar to the MIT undergraduate population point to the fact that a large percentage of Facebook users are genuine.250.Figure 2: Number of Profiles identifying as a class divided by students in that class 5.2 Facebook is ubiquitous Survey results indicated that large majority of MIT students Possession of a Facebook account have Facebook profiles. compared to a class size of roughly 1. As shown below. At NYU. There are 948. Aside from her romantic attachments perhaps. Of 413 respondents. 4012. Indexing the Facebook seemed to indicate a similar result. [16] 3 Until recently. which fits the profile of large numbers of users updating information about themselves. 4076) correspond closely to the class sizes of 4. 374 (91%) claimed to have Facebook accounts. telling users that “Everyone knows that you’re not Paris Hilton” 14 .

over 948 ( roughly 60%) Harvard Class of 2009 freshmen created their accounts within a month of getting their email address. with most 2008 freshmen signing up 4 19% of Harvard pro les. users exhibit similar behavior in creating their Facebook pro les. T he class of 2008 enrolled at M IT admission and had access to M IT server by M ay of 2004. it is also likely that this 15% compose users who signed up right at the launch of F acebook for their school and did not update their accounts afterwards. T he class of 2009 had an even more pronounced spike at matriculation time. which was generally over the summer or during orientation. We were able to access 1016 members of the class of 2008 with Facebook pro les 6 . indicating the extraordinary draw of the Facebook. 5 Our experience is that M IT sends out M IT S erver coupons around this time 6 Note that these numbers may be skewed by accounts for ctional people or celebrities. e. had MIT server accounts by May of 2005 5 . During M ay and J une of 2005. B ecause no update timestamps exist before J une 2004. T he majority of the class of 2008 joined Facebook from J une 2004 to August 2004. Approximately 100 created their pro les in M ay of 2004 ( i. 921 members of the class of 2009 have unrestricted Facebook accounts. T his hypothesis is substantiated by the fact that the number of blank update elds at a school is proportional to the length of time before J une 2004 F acebook was available at that school. and 2009. it is probable that the feature was implemented at that point. dropping to approximately 10 per month. whereas the class of 2009. M embers of the M IT class of 2008 tended to create their pro les as soon as they heard about Facebook. Freshmen create their accounts as soon as they can. S trikingly. 5. 10% of NY U pro les. Note that M IT admits classes of approximately 1. and 6% of O klahoma pro les do not have an update timestamp. the majority of them also keep them constantly updated.Month 53% Three Months 82% Six Months 92% One Year 98% F igure 3: V irtually all users update pro les often 5. with over half updating in November 20054 . and the remainder created their pro les at later times. 15% of M IT F acebook pro les. 3 U sers put time and e ort into pro les T he vast majority of users update their accounts frequently. 4 S tudents join F acebook before arriving on campus We looked at the distributions of pro le creating dates of members of the classes of 2008. In this time. At other schools. T his indicates that not only do the majority of undergraduates have Facebook accounts. 15 .000 freshmen. Given the exponential tail-o of the last update times. and all unstamped pro les were last updated before that point. At present. 699 members of the class of 2008 created their pro les. as soon as they could) . T he Harvard trends are even more pronounced as we can see from the graph. 538 members of the class of 2009 created Facebook accounts. the current freshman class.

screen name. the relative willingness to disclose all information increased. Facebook has grown extremely rapidly.5 A substantial proportion of students share identifiable information Facebook users at MIT tend to give a large amount of personal information.000 users. and tend not to restrict access to it. favorite books. interests. we found that. and became increasingly protective of their information regarding residence hall. Using another heuristic for determining active users. favorite movies. users with lots of friends tend to be much more forthcoming with their personal information. If Facebook continues to grow in popularity.000. Of the 5279 MIT profiles updated on or after September 1. clubs and jobs.6 The most active users disclose the most Users who frequently update their profiles tend to be even more open. establishing a user base of 8. music interests. Facebook users are more wary of some kinds of personal information than others. while the class of 2009 obtained their Facebook accounts immediately.Figure 4: Freshmen create accounts sooner and sooner after matriculation over a three-month period. If this trend continues. particularly that which might be valuable to advertisers. 5. 5. Users were most willing to indicate their high school. the average user will likely become more and more like the “well-connected” user. although the general trends of relative disclosure did not change. the level 16 . Furthermore. 2005. and close to 100% penetration at certain schools. and mobile telephone number.

Figure 5: Users disclose personally identifiable information Figure 6: Recent users disclose even more 17 .

respectively. this is another indication that more and more data will become available on Facebook.). 7 0. 2 for the Classes of 2009. undergraduates share much more data than average. We did this at all four schools. such as the social atmospheres at the school. Harvard provided us with the lowest percentage of visible profiles from existing profiles (66%). administrative advice on Facebook usage. and 2007.3% 64.7 Undergraduates share the most.7% 62. and -.1% 21.7% 19.151 for the contact score. in almost every case.5% Figure 7: Connected users disclose more personal information.496 for the overall score.6% 59. 18 . screen name.All Schools: Disclosure of PII Clubs 300+ Friends All Users Difference 81. whereas MIT provided the highest (79%). 2008. and the contact and interest subscores. we attempted to correlate disclosure scores to class years.4% Gender 92. r = -. and classes keep sharing more As shown in the table below. and the result was that all disclosure scores were weakly correlated to class year (r = -.187 for the interest score.1% 8.1% Mobile 25. The differences we noted are probably a function of many variables specific to the school.2% Movies 81. On the other hand. This means that there is a correlation between being in a younger class and disclosing more information. Students at the University of Oklahoma were much less likely to share contact information (such as residence.1% 17. 5. As the majority of new registrants for Facebook each year are going to be undergraduates. Difference between classes In order to determine if there is a statistically significant difference between courses. we found subtle differences in the way student interact with Facebook.0% Music 82. students at Oklahoma were the most forthcoming about their tastes in books. We ran a regression of number of years in attendance at the college 7 against the disclosure index. The differences we found really speak to the notion that Facebook is different at every school it supports.9% 64.8% 10. especially commercially valuable information of information disclosure will keep increasing correspondingly.5% 29.9% Books 76. movies.4% Interests 85. and so on.8% 82. Of the universities. and mobile phone number) than students from any other university in our study.0% 51.6% 17. and the undergraduates most likely to disclose information no less.0% 18. Such topics are outside the scope of this paper. policies on information sharing. 1. and music.8 Differences among universities Among the four universities we investigated. 5.

Difference in Disclosure Harvard Gender Major Dorm Room? High School AIM Mobile Interests Clubs/Jobs Music Movies Books 22% -6% 30% 23% 32% 26% 3% 29% 17% 33% 31% 31% MIT 17% 23% 23% 4% 18% 18% 10% 16% 23% 18% 19% 17% Figure 8: Difference between Class of 2009 exposure and all users MIT Major Dorm AIM Mobile Interests Clubs/Jobs Music Movies Books 81% 96% 71% 24% 78% 49% 77% 74% 74% Harvard 64% 94% 72% 27% 81% 58% 82% 80% 80% OK 91% 85% 62% 17% 89% 76% 93% 90% 81% NYU 79% 89% 76% 15% 81% 50% 84% 82% 77% Figure 9: Disclosure rates of the Class of 2009 19 .

At the same time. 353 (91%) had not read 20 . This tendency of users is further evidence that Facebook use is more characteristic of physical relationships than that of an exclusively online community. 243 people (63. 104 (31.5%) are barely concerned. survey respondents expressly indicated low con­ cern for Facebook’s privacy policies.9 Even more students share commercially valuable information The information most relevant to advertisers would likely be demographic data (age. As shown above. and 30 (7. as paired with interests. 76 (23%) are not concerned with Facebook privacy. 117 (35. Of 389 respondents. and 12 (3. while 146 (38%) said they do not. Of 389 users indicating familiarity with “My Privacy”. it merits further attention.” 234 (62%) said they use the feature. phone numbers. Although this seems like an intuitive notion. loca­ tion).6%) are very concerned.83%) claim to friend strangers. In general. a powerful metaphor that is at the heart of the way users share their information on Facebook.6%) are somewhat concerned.” while 100 (26%) say they are not.5. of the 380 users who gave information regarding their use of “My Privacy. gender.45%) never friend strangers.10 Users are not guarded about who sees their information As a whole. 289 (74%) say they are familiar with “My Privacy. and social security numbers. 20 (6. Concerns about Facebook privacy As a whole. over 70% of users are willing to disclose both categories of information. matching the details about users’ interests and current location to addresses. 110 people (28. and choose not to use them. Of the 383 respondents to this question. Likelihood of “friending” strangers.72%) friend strangers on occasion. dedicated users have a tendency to disclose this information much more often.11 Users Are Not Fully Informed About Privacy We asked Facebook users if they had read Familiarity with the TOS and the Privacy Policy Facebook’s policies regarding their use of the service. which may be a leading indicator of even greater disclosure. 5.1%) are quite concerned. In addition. doing so almost exclusively. 5. Women and men are equally unlikely to add a stranger to their list of friends. users are familiar with the privacy Knowledge and use of “My Privacy” feature features Facebook offers. Of 329 respondents. making the Facebook a valuable trove of demographic data for marketers. Actively choosing to not use “My Privacy” indicates that users believe there is a benefit to providing information and allowing others to see it. Only allowing people whom users know in real life to access their information is a good Facebook security strategy when combined with other privacy features and selective posting. Facebook users at MIT tend to friend people they know. this database of interests could easily be cross-referenced by a database from a third-party ven­ dor.

Of 374 respondents. 139 users (33%) said no. some 342 (87. and a strict reading would imply that Facebook can share information with third parties. More Risks Are Presented The overwhelming majority of Facebook users are familiar Familiarity with “My Photos” feature with the “My Photo” feature. Women definitely self-censor their Facebook data more than men do. Both genders are equally unfamiliar with Facebook’s Terms of Service and Privacy Policy.” Although the policy could be construed to imply they will not share information. including responsible companies with which we have a relationship. The FAQ states that “We don’t distribute your user information to third parties. as shown in the table9 . and some 84 (20%) did not know. as indicated in their privacy policy 8 . states that “we may share your information with third parties. Facebook can indeed share your information with other companies for advertising or other purposes. 174 (47%) believed Facebook could not do this.462. 5. we compared the trends of male and female users. Of 389 respondents. When asked if users have any control over the “My Photo” content of others. although most users are familiar with the feature. and have a higher percentage of friends from MIT.992. but not to a statistically significant level.” The Privacy Policy. We found that schools with more women share proportionately less contact information. few seem to worry about its potential implications. including legal requests and “facilitating their business. it is certainly not clearly stated. have more friends.the Terms of Service. This is pronounced in the number of mobile phone numbers made available to the public. indicating an extremely strong link between the behavior of the genders at any particular school. 8 The FAQ and Privacy Policy are actually in direct contradiction on this point. Women were more likely to use Facebook’s “My Privacy” feature in our survey. Furthermore.12 As Facebook Expands. In addition. Women are more likely to log into Facebook. 196 users of 416 respondents (47%) said yes. 21 .9%) were familiar with the feature. we calculated the correlation between self-reported gender percentages at the dif­ ferent universities. 5. Of 390 respondents. on the other hand. or did not provide an answer. 9 The correlation coefficient of male to female mobile phone disclosure is . 347 (89%) had never read the Privacy Policy. while 200 (53%) believed Facebook could. with a correlation coefficient r = -. on restricting access to photos posted on the service. Understanding of Privacy Policy We asked users to guess whether or not Facebook can share your information with other companies. and correlated these to the contact information index.” The Facebook then lists reasons that they may share information.13 Women self-censor their data In addition to the above analysis. specifically.

Disclosure of phone number. Customers must be aware of information collection and their rights regarding that collection before they can exercise them. among other things: 22 . and favorite books.).5% 20. Here we found that the male-dominated schools tended to share less information. a report to Congress assessing the state of privacy on the Internet. Choice. which may indicate that women are more likely to share information about themselves which will not lead to phone calls or unwanted visits. until Facebook changes the parameters of their system. or there are enough newsworthy privacy stories to change users’ perceptions. As Facebook becomes more entrenched. before data is collected.1 Facebook and “Fair Information Practices” Overview In 1998. users still share a lot of personal information that could be valuable to many parties. clubs. we compared gender ratios to the interest data index (the extent to which users share their interests. and Redress. This report identified the five “widely accepted fair information practices”: Notice. Access. areas Facebook needs to address if they are to protect the privacy of its users.7% 22. 6 6. especially women. As time goes on. including. These areas cover the basic principles of online privacy. [6] 6. by gender Male Harvard MIT NYU Oklahoma 33% 29. The correlation coefficient between self-reported female percentage and the interest index was r=.5% 11.625. disclosure rates are likely to rise. 5. The basic “notice” requirements are a clear statement given to the consumer.14 Men talk less about themselves In contrast. etc. it is becoming even more entrenched in college life.2 Notice Notice is the first and most important requirement of fair information practices.15 General Conclusions Facebook is an institution at the colleges we surveyed.6% 8% Figure 10: Women self-censor the information they share 5. the Federal Trade Commission published Privacy Online. Security.2% 21% Female 26. Although they tend to self-censor.

choice relates to secondary uses of information – i. The two types of disclosure are disclosure to other users of the site.e. their Privacy Policy falls short in other areas. such as “Facebook also collects information about you from other sources.” This passage is either inaccurate or outdated. This information is gathered regardless of your use of the Web Site. and any potential recipients of the data. Facebook has close relationships with several corporations. We use the information about you that we have collected from other sources to supplement your profile unless you specify in your privacy settings that you do not want this to be done. it is necessary to enter some personal information if one wishes to participate in a social networking website. It specifies Facebook as the entity collecting the data. • The nature of the data collected and the means by which it is collected if not obvious (pas­ sively. there is large amounts of additional disclosure going on. including non-obvious data such as session data and IP addresses.3 Choice “At its simplest. however. including marketing partners. such as newspapers and instant messaging services. Parts of the policy are vague. uses beyond those necessary to complete the contemplated transaction. not all users understand the terms of the bargain. our survey showed that 46% of Facebook users believed that Facebook could not share their information with third parties. 6. or actively. However..• Identification of the entity collecting the data. and some are seemingly contradictory and confusing. and the consequences of a refusal to provide the requested information. integrity and quality of the data. Unfortunately. Even though Facebook accurately addresses what information they will be including on the whole. choice means giving consumers options as to how any personal information collected from them may be used. • The steps taken by the data collector to ensure the confidentiality. Specifically. • Whether the provision of the requested data is voluntary or required. and users are receiving the use of an extremely useful and popular site for free in exchange for it. as no setting related to this information is available in the “My Privacy” feature. the uses to which the data will be put. and does a good job of identifying which data will be collected in most cases. and disclosure to third parties. The identification of the uses to which the data will be put are nonexistent.” [6] Clearly. [6] The Facebook Privacy Policy aims to fulfill this requirement. by means of electronic monitoring. and the identification of the targets of potential disclosure is anybody Facebook deems appropriate. primarily 23 . This disclosure is certainly legal. integrating their marketing efforts seamlessly into the site via giving them special “Groups” for interested students. by asking the consumer to provide the information).

4 Access “[Access] refers to an individual’s ability both to access data about him or herself – i. making them exceedingly easy to sniff off of a public network. providing consumer access to data.” By this standard. to view the data in an entity’s files – and to contest that data’s accuracy and completeness. but it is not transparent and there is no evidence that one’s request is actually honored. without any checks on the accuracy or 24 . See later in the paper for more details. If you choose to remove your Member Content. The issue here is that there are virtually no controls on what Facebook can expose to advertisers. the license granted above (that permits Facebook to use the data) will automatically expire. to a large extent. It also allows advertisers to set cookies that are not governed by the privacy policy. This is clearly inferior to the current best practices for password protection.5 Security Security is the process that ensures data integrity and restricts access to those who have been granted it legitimately. including the account passwords.advertisers. Although Facebook uses passwords to protect accounts and a MD5 hash as authorization. Facebook follows this principle fairly well. Because Facebook is based on the sharing of information. and destroying untimely data or converting it to anonymous form.” [6] This attribute is more targeted at credit agencies and other organizations which maintain files on users which they may not want to disclose. allow the interested user to easily control what other users of the site can see about their profile data. The privacy features provided by Facebook. There is way to request that Facebook not share your information with others. The blanket statement regarding disclosure allows Facebook to disclose any personal data to adver­ tisers. it gives users control over the existence of information about themselves in the Facebook database. 6. Privacy Online states in part “To assure data integrity. as third parties can upload pictures and associate them with one’s account. Their terms of service clearly state that “You may remove your Member Content from the site at any time. and the storage of data on secure servers or computers that are inaccessible by modem. The “My Photos” feature seems to run counter to the Security principle. Facebook falls short. their use of encryption is nonexistent. use of passwords. 6. such as using only reputable sources of data and cross-referencing data against multiple sources. Both are essential to ensuring that data are accurate and complete.” “Security measures include encryption in the transmission and storage of data.. and because Facebook provides users with the ability to control this information.e. All authorization informa­ tion is sent in the clear. collectors must take reasonable steps.” Although Facebook is certainly vague about the uses to which the data will be put.

ChoicePoint’s databases were breached and 145. Redress requires that customers be aware of ways in which they may be harmed. The fear of a security breach is certainly a reasonable one. there are absolutely no user controls akin to “My Privacy” relating to photos at all. a trove of so much personal information would contain much information that people would not want to make public. MySpace: A Comparison MySpace has several clauses in its Privacy policy that deal directly with contingencies that are not pleasant for the company to admit. as large data warehouses are often targets of intruders. Users have no way of preventing pictures of them from being uploaded. [3] While a Facebook breach would not be sufficient to start performing identity theft. the most they can do is remove the tag that links the photo directly to the user’s profile. redress should entail acknowledgment of user requests and transparency in followthrough on them. self-regulatory regimes should include both mechanisms to ensure compliance (enforcement) and appropriate means of recourse by injured parties (redress). even if one is logged into the MIT facebook. there is no policy for notification of customers. a clear policy on this matter would have been beneficial for users.appropriateness of the data. In addition. For example. One can ask to see all of the pictures of “Michael Smith” at Stanford and view them. 7 7. Even if users seek to disassociate themselves with any photos. would potentially put all 8. no site is perfectly secure. We have found that any Facebook picture is accessible from any Facebook account.000 Facebook records at risk.” Much like the other privacy principles. 6. with no regard for privacy settings.6 Redress “To be effective. The company tells users that security breaches can never 25 . either from an outsider locating vulnerability or from a disgruntled insider. This is not a risk that can be eliminated.1 Threat Model Security Breach Threat and Feasibility A security breach at Facebook. In addition.000 records were compromised. The “prevent my information from being transmitted to third parties” request would be much improved if one could track the ramifications of that request.000. In light of holes such as the “advanced search” hole described below. In the case of security breaches. or even the default Facebook per-university controls.

.be completely prevented. MySpace does not have a notice requirement in the case of security breaches. but easy. In addition. Profiles used for social networking are likely to be 100% accurate. Current Precaution Facebook’s Terms of Service state that using the site for data-harvesting purposes is forbidden. as they are maintained by their subjects. This statement offers no protection. Facebook has a database on 8 million college students that is far more accurate than the usual commercial data. however. and there is no recourse against those who may seek to do so. The fact that we (two students) were able to data-mine the Facebook in a week.2 Commercial Datamining Threat Companies such as ChoicePoint. 7. This ensures that an unreasonable expectation of data security is not established[10].. Their notification requirements regarding changes to their privacy policy appear to be aimed at this contingency. you agree not to use automated scripts to collect information from the Web site or for any other purpose. even if “reasonable” steps are taken to prevent security breaches. A clearly stated requirement in their terms of service that they notify end-users whose privacy was violated would empower end-users. attached as an appendix. Inc. which states that “You further agree not to harvest or collect email addresses or other contact information of members . MySpace confronts the possibility that they will be acquired. and notifies its users that their new owners could be less than scrupulous about using personal data. which have records of dubious accuracy[15]. for the purposes of sending unsolicited emails or other unsolicited communications. Unfortunately. Thus. Additionally. Feasibility Using our code. we can conclude that it is possible to harvest data from the site. This is in marked contrast to the accuracy of databases such as those maintained by ChoicePoint and Acxiom.” “Clickwrap” licenses like the terms of 26 . have built billion-dollar business on selling databases of per­ sonal information. Recommendation for Facebook: Security Disclosures Facebook should have a policy regarding disclosures of private information due to security breaches or unethical employees. we were able to crawl Facebook for four schools. if it is possible to use the site for these purposes. creating a comprehensive data-set spanning all accessible profiles. as users have an incentive to make information accurate. Our data collection violates the Terms of Service for Facebook. using the time allotted to us for one class is evidence that data-mining the Facebook is evidence that it is not only possible.

he was able to systematically build up a database from queries on Facebook’s database. Zeidenberg. referenced in [19] 27 . one could easily reconstruct all Facebook profiles regardless of privacy preferences.facebook. performing a query at a certain college requires that one be logged in from an @thatcollege. For example. Up until November 10. etc. so he was able to systematically query who lived in dorm “101”. There are no provisions for the violation of the Terms of Service. An advanced search for “getting drunk” would still associate the students’ name with this string. Normally. until he had a comprehensive list of where everyone said they lived in their profiles. and assign user IDs randomly out of that. 10 ProCD v. The problem is that when people hide their profile page. when invalid UIDs are accessed.com” to “school. Then. An MIT student could write “getting drunk” as an interest and set their profile so that only their friends could see their profile. and the termination of the offending account would not be a sufficient deterrent for those determined to obtain and use this information. The problem was compounded by a security hole that multiple people have discovered.com”.edu account. 7. he could perform the query on any school without having a valid account for that school.000 students at 8 Boston-area schools. Over the course of a month. Further research found a student that actually employed this strategy to create a database of at other local schools. those IPs/accounts could be monitored for signs of abuse. This information is not actually secure unless they also exclude their profile from searches.service have generally been upheld by courts 10 . He was only interested in using data on MIT students in an aggregated manner.facebook. “102”. A better system would be to make the profile number space 10 times the number of people eligible for accounts at the university. 2005. He also discovered that most fields are indexed by ID number. Recommendations To Facebook: Better URL System Because of the method by which Face- book assigns User IDs. they expect the information on it to remain private. but with that knowledge. A high school student at an MIT summer program discovered that by changing the server in the query URL from “mit. expecting that this information is secure. he compiled information on over 82.3 Database Reverse-Engineering Threat and Feasibility Facebook’s “advanced search” allows one to query the database of users using any of the fields in a profile. one can search for sophomore males at Duke that enjoy Kurt Vonnegut. one can easily download all accessible profiles. but the danger posed to a person breaching this contract is uncertain at best.

Current Facebook Precaution Facebook blocks Advanced Search. all information save their name should be withheld from being searched by “Advanced Search.com/photo search. The University of New Mexico cited this as the main reason they chose to disable Facebook access from their network. however. The “Exclude my name from searches” preference in the “My Privacy” section actually solves the problem. however. 7.4 Password Interception Threat The fact that the username and password were sent in cleartext is a security vulnerability.5 Incomplete Access Controls Threat and Feasibility In searching for user photos on Facebook. that MIT cited password theft as a real problem when they maintained telnet servers that had login data sent as cleartext. It should be noted. we did not attempt to steal passwords. Recommendation to Facebook: Restricting Search When users set their profile to be friends- only. Because an intuitive leap is needed to see how to use the Advanced Search for data-mining. It is used by Google Mail. Current Facebook Precaution Facebook currently takes no steps to protect user passwords in transit. which limits the scope of the problem. and countless other sites to protect sensitive information as it is being transferred. An adversary could read Facebook user names and passwords off of the Ethernet or unencrypted wireless traffic. as well as any additional accounts they use those passwords for. the service uses a variant of this URL: http : //mit. obtaining access to users’ Facebook passwords.f acebook. It is a simple. Because of the ethical and legal implications of doing so. Because many many users use their university email passwords as their Facebook passwords. it takes the same intuitive leap for users to see the risk and protect themselves from it. except at one’s school. eBay. Recommendation to Facebook: Encrypt the Passwords Using SSL for login is the industry best practice for protecting passwords on login. MIT WebMail.” 7. UNM views Facebook as a security liability for their network. cheap solution that would close a major security hole.php&name = J ohn (6) 28 .

. 29 . Without detailing specific cases. He did say. but there have been smaller incidents. Dean of Residential Life Programs Andrew Ryder has stated that MIT is not actively monitoring Facebook for rule infractions. In addition.There is nothing inherently wrong with allowing users to search for photos. however. but has. but there are no restric­ tions akin to “My Privacy” for photographs.6 University Surveillance Threat Students in many cases are unaware of the complex interactions between university policy and the information they are making available online. he alluded to the fact that Facebook incidents that MIT has had to deal with so far have related to a student posting unflattering or untrue information about another student.. and the difficulty for a user to de-tag large numbers of photographs. which generated a complaint to the Department for Student Life. they exist all over the nation. It is also his personal belief that Facebook data would be admissible in Committee on Discipline hearings. 7. that if public or quasi-public Facebook information was brought to his attention. and their students’ activities. Current Facebook Precaution Facebook limits photograph searches by profile in the same way they limit regular searches. he would have to act on it. Recent months have seen a rash of incidents coming from students disclosing information that they never thought would end up in deans’ offices. “My Privacy” should extend to the “My Photos” feature as well. The ability of users to upload and tag photographs easily. users are unable to view others’ profiles on other websites.” anyone from any university can search for and see any other photograph by editing the query URL. but they can view all pictures. The one other MIT case involved a freshman in the class of 2008 advertising a party in his soon-to-be dorm room on Facebook before he even arrived on campus. These problems are not limited to technical schools like MIT. Feasibility MIT MIT has not had any high-profile Facebook-related cases yet. by default. the usual access controls do not apply to “My Photos. the problem lies in the additional unrestricted method of searching all photos by name. Recommendation to Facebook: Restrictions on Pictures Search This is weaker than any other access controls on the site. makes it easy for others to find photographs with few restrictions. and a growing realization of the importance of Facebook in a college environment. Administrators are using Facebook to learn about their students. and the search by name should be disabled.

es­ pecially as they pertain to harassment. Students believe that the information they post to Facebook should be protected as correspondence. Current Facebook Precaution The Facebook currently does not take steps to prevent this type of disclosure. and that he “was naive about Facebook. ambiguous. while school officials. University policies are two-fold. and ultimately canceled Fisher’s student status. The reason for this action given by Fisher College was Walker’s creation of a Facebook group committed to the dismissal of a campus security officer believed to regularly overstep the limits of his line of duty. Walker’s expulsion could set a dangerous precedent for university officials. the University of Oregon[24]. 30 . On the other hand. The recent expulsion of Cameron Walker may have created a concrete example of the harm that can come from Facebook activity. Georgia College[22]. To do so would be to make the university vulnerable to lawsuits in cases where forbidden behavior goes too far undetected. The wealth of new information available to administrators pushes the enforceability much closer to the literal readings of school policies. when the events leading to his expulsion occurred. will use evidence posted on Facebook to bring formal disciplinary charges against students. and in an age of litigation. Brown[28]. Recommendation to Universities: From a student perspective. then a second year student at Fisher College in Boston. they cannot afford to selectively enforce policies. there is the letter of the law. Walker claims that his expulsion was an example of a “few administrators doing whatever they wanted”. and what is actually enforced. His expulsion demonstrates the issues that can arise from the interactions of Internet publication and “unclear. Since November 1. School officials who monitored Facebook. Cameron Walker. was expelled from the school and barred from the campus. administrators are not free to set whatever policies they see fit. Dartmouth[23]. Mr.” News at Other Schools In recent weeks. UNC Greensboro[30]. there has been an explosion of articles in college newspa­ pers relating to the privacy concerns of Facebook. We conducted a phone interview with Walker in mid-Novemnber. Syracuse[27]. Macalester[26]. This is the first incident of a student being expelled for actions on Facebook. GW. cautionary articles have appeared in the newspapers of Emory[21]. and vague” (Walker’s words) student codes of conduct. and UPenn[31].Cameron Walker and Fisher College In October of 2005. Facebook has been an area relatively free of administrative interference until now. which could have many unintended consequences. pressured Walker to remove the group. it is the one case that many news articles mention. MA. Trinity College[25]. He was a sophomore in the class of 2008 in October 2005. because it wasn’t affiliated with a university. University of Tennessee at Chattanooga[29]. particularly at schools with strict codes of discipline.

Because of this complex interaction. Thus. and the differing goals that administrators have. a program during Orientation would help students from running afoul of university policy or being harassed. universities should educate their students about the dangers that online disclosure of information can pose. Until the societal norms regarding this new use of computers become well-established. Facebook faces a tough choice here: their business model is based on many ad views. and that if users make their profiles public. Recommendation to Facebook: Merge “My Privacy” Facebook is unique. Recommendation to Facebook: Warnings Page In an environment of growing misuse of in­ formation made public by Facebook. 96% of users employ it. all information contained therein may be viewed by job interviewers and college administrators. Recommendation to Facebook: Opt-Out Privacy In a world where a minority of users change software preferences.In addition. in that users are expected to return often and update their “preferences” (who their friends are. Because students are getting accounts earlier and earlier. Yet.” Their study found that if encryption on WAPs is set by default. colleges should look at their primary interaction with Facebook an educational one. thereby greatly increasing the number of views the privacy settings get daily. One page could contain fields regarding basic profile information as well as privacy settings. they should tell their students this up-front. and college administrators would not be doing their jobs if they didn’t understand and explore how a large portion of their student body was using their spare time and interacting with each other. is that of education. privacy protection cannot be an “opt-in” option. To fulfill this mission. however. opt-out protection is far more effective. Facebook could leverage this culture by merging the functions of profile updating and privacy settings. Recommendation to Universities: Educate Students The university’s most important role. which requires a relatively open network. which requires extended browsing sessions. as demonstrated by Shah and Sandvig in “Software Defaults as De Facto Regulation. If universities are going to use this information. Facebook could clearly state that they could provide no guarantees regarding the security of their data. their profile information). Facebook would do its users a great service to explain the dangers of security breaches and outside monitoring.4 times the number that do when it is not set by default. 31 . 3. however. Students can only claim that they have been treated unfairly if they can establish an expectation of privacy. Facebook is becoming a key component of college life.

However. to protect them legally. we are going to use users’ personally identifiable information in a manner materially different from that stated at the time of collection we will notify by posting a notice on our Web site for 30 days. have their own “groups” that interested users can join. dealing with smaller amounts of personal information than Facebook. to show their brand loyalty. They say that they “will make every effort to implement any choice you make as soon as possible. 12 “A User is bound by any minor changes to the policy when she or he uses the site after those changes have been posted If. e-mail address. Unlike Facebook. Facebook’s privacy policy explicitly says that they may disclose profile information to third parties.7. unless expressly required to do so by law. the feature has no followup or feedback. so the prospect of them doing so is clearly realistic. and is couched in language that does not actually imply any sort of binding agreement.7 Disclosure to Advertisers Threat and Feasibility Facebook has a relationship with several companies currently. your name. MySpace MySpace also has a much more explicit and user-oriented disclosure policy. with narrower goals. Friendster only collects the data you enter into your profile. IP address. Other Services’ Precautions Friendster Friendster’s privacy policy is indicative of a more mature service.” 13 “Except as otherwise described in this privacy statement. if clicked. 11 Users may be asked to provide personal information including name. Current Facebook Precautions Facebook offers an “opt out” link on their Privacy Policy page.” Offering the user choice in this matter is clearly to the user’s benefit. It will be clear at the point of collection who is collecting the personal information and whose privacy statement will apply. email address or home address or to answer questions in order to participate. however. or for a chance at giveaways. among others. and user agent. The scope of disclosure to third parties is much more explicitly dealt with. means that one can “submit a request” to Facebook to not share information with third parties. MySpace will not disclose personal information to any 32 . We may transfer personal information to certain ad partners that you have explicitly requested to receive information from. or to protect the safety of the public13 . Friendster agrees to never share your information with any outside agency. which. Apple and JetBlue. and limited to: • Disclosure to advertisers whom users have “explicitly requested” to receive information from 11 . 12 • Disclosures required to enforce their TOS. • The use of cookies by advertisers.

which allows users to upload photos and tag them with the names of the people in the pictures.Recommendation to Facebook: Accountability and Accessibility for Third-Party Opt-Out An opt-out feature that guaranteed that the user’s information would not be disclosed in the future would allow users much more control over their privacy. and perhaps even go farther. In addition. or (3) to protect the safety of members of the public and users of the service. which is a legal agreement.com Terms of Use Agreement or to protect our rights.” Recommendation to Facebook: Privacy Policy Improvements Facebook’s privacy policy is vague and subject to change at the whim of the owners of the website. it should be located in “My Privacy. Current Facebook Precaution Facebook allows users to de-associate themselves from unwanted data. The university is currently considering removing her from that role. A user-centered Terms of Service would clearly delineate which information is shared with which partners. This functionality has already resulted in trouble for an underage student at University of Missouri-Columbia when college administrators found a picture of her duct-taped to a chair while another student poured beer in her mouth. This is also an “opt-in” function that requires constant monitoring of the system. Facebook should seek to emulate MySpace in this manner. but in the case of pho­ tographs. then a method for tracking one’s request would increase the transparency of the process. 7. A notice period announcing a change in the Terms of Service is another change that would improve the user experience. If the process is complex.8 Lack of User Control of Information Threat Other users can upload and associate information to one’s Facebook account.” To actually make the option effective. (2) to enforce the MySpace.” 33 . whether or not a response is required by applicable law. users who want to take action would look to “My Privacy. The Facebook policy allows any disclosure of information to third parties that Facebook feels is appropriate. the link is buried in the privacy policy. The most prominent feature of this type is the “My Photos” feature.com. depending on whether a user clicked on a third party’s ad or joined a third party’s group. third party unless we believe that disclosure is necessary: (1) to conform to legal requirements or to respond to a subpoena. the data remains on the server. search warrant or other legal process received by MySpace. This was a matter of considerable embarassment as she had just been elected student body vice president.

9 Summary and Conclusion Ultimately. realize that the photos that you upload of other people may be viewed by their high school friends or their family. to not post information of illegal or policy-violating actions to their profiles. Revealing this sort of information needs to be viewed as the equivalent of going alone to the apartment of a person one met on the Internet. Although Facebook allows users to delete Wall postings and de-associate themselves with photographs. This lasting change will only come with time and understanding.1 Conclusion Postscript: What the Facebook does right A paper that analyzes the threats to privacy a system poses will inevitably adopt a negative tone about the target of its examination. Don’t post anything of them doing anything that you wouldn’t want your parents to see you doing.Recommendation to Facebook: Better Restrictions on Third-Party Information Third par­ ties’ ability to submit and associate information about users violates one of the key principles of information practices: the idea that users should have the ability to control and correct the informa­ tion about them in a particular database. The fact that each university Facebook is effectively its own 34 . Privacy should be the default. 8 8. We strongly advise all Facebook users to restrict access to their profiles. It is vital that Facebook users everywhere appreciate the potential for use of the system by administrators. and that they should only upload the pictures that they would feel comfortable having anybody on the Facebook viewing. encryption should be the norm. Recommendation to Users: Exercise Caution Users should be aware that there are effectively no access controls on pictures. In addition. and to be cautious with the information they make available. Unfortunately. Nobody can fault Facebook for students making questionable decisions. 7. there are also areas in which it is a leader among social networking sites. this is not an easy fix. Modifying the “My Privacy” feature to allow a blanket disabling of these features for a particular user would help users control their information. mistakes regarding privacy will continue to occur. this is an “opt-in” mechanism that requires constant monitoring. lasting change in online privacy will only come from a gradual development of common sense regarding what is appropriate to post in social networking forums. Although Facebook has flaws. but the environment that Facebook creates should be one that fosters good decision-making. Until users view alluding to underage drinking or drug use on their profiles as risky. and Facebook should take strides to inform users of their rights and responsibilities.

but no academic study has been done of its effect on end-users. This research aims to begin that dialogue. The consequences of excessive disclosure of personal information and false senses of security are just beginning to emerge. the existing security model is robust enough to solve most of the problems associated with it. Lada A. As with any emerging technology. the public needs to develop common sense about accepted practices on these sites. From a technological perspective. social networking sites are unique in that they standardize. more stories of students being disciplined because of Facebook appear in college newspapers every week. and encourage the publication of personal data to an unprecedented extent. which explicitly notes that there is no way to restrict profile information. The requirement of having a school email account to sign up is largely effective in preventing fake accounts and what could otherwise be a problem of Facebook “identity theft. The user community of this site and future sites will benefit from increased attention to these issues.com/research/idl/papers/social/social. a body of common knowledge about disclosing information online would protect the public. which contains detailed files on more than 8 million young adults. which would not require a substantial engineering effort. and Adar. centralize.pdf 35 . it would be allow users to control their data very easily. Buyukkotken. there has been little dialogue about investigating the protections put in place at one of the most-visited sites on the internet. 2002. “A Social Network Caught In The Web. Although the flaws with “My Photos” are pronounced. Eytan.2 Final Thoughts Facebook is used by over 8 million college students. Security by obscurity is not the best practice for any system. Although no national attention has been devoted to the issue. though not impossible. References [1] Adamic. let alone one used by so many. 8. This system makes data harvesting much harder. The current model would be close to ideal if the defaults and behaviors of settings were changed.” http://www. If the name search for photos followed “My Privacy” rules. the common sense regarding its proper use has lagged behind what technology has made possible. Much as it is now common sense to not meet people online without taking significant precautions. Orkut. Although the Internet has made it possible to publish personal information online for a decade.” The “My Privacy” settings model is fundamentally sound.hpl.hp.. As information retrieval and analysis tools become more powerful.site virtually firewalled off from the rest of the network is a much more private-by-default system than Friendster or MySpace.

Calif. Associated Press.php. [14] Marshall.com/misc/privacy. available online at http://viewmorepics. Steven.friendster. May 19. & Shah.friendster. potential ID theft victims face a lifetime of vigilance. Virginia. 2005. and Internet Policy.-based Facebook brings social networking online. “Dangerous Terms: A User’s Guide to EULAs. August 28. [3] Konrad. Copyright. http://www.myspace. Deborah and Linda Ackerman. 2005. [9] MySpace Terms of Service. Inc. [6] Federal Trade Commission. August 29.html. Rachel.privacyactivism. “Facebook Expands Operations at Terremark’s NAP West Facility” Tuesday November 1. Matt and Anna Tong. Annalee. 8:30 am ET. [12] Friendster Privacy Policy. [7] Facebook Privacy Policy.com/info/privacy. Defaults as De Facto Regulation: The Case of Wireless Access Points.facebook. Heath.htm [18] Phone Interview. C.facebook. “Fast Facts”. 1999.html [16] New York University Admissions.” http://www. 2005.com/policy.html.” San Jose Mercury News. “Palo Alto.org/wp/eula. (2005). R. [13] New York Times. Pierce. [8] Facebook Terms of Service.myspace.org/docs/DataAggregatorsStudy. available online at http://www. “Burned by ChoicePoint breach. February 24.php. Paper presented at the 33rd Telecommunications Policy Research Conference (TPRC) on Communication.com/misc/terms. 2005.php. Arlington. available online at http://www.com/sscalc. 36 . “Do You MySpace?” By Alex Williams. [15] Data Aggregators: A Study of Data Quality and Responsiveness. [10] MySpace Privacy Policy.com/terms.php.nyu.php.surveysystem. available online at http://viewmorepics.” [4] Terremark Worldwide. available online at http://www. Loaded December 14. [5] Newitz. Privacy Online: Report to Congress. [11] Friendster Terms of Service.[2] Sandvig. USA. http://admissions.edu/fast facts/ [17] Sample Size Calculator. available online at http://www.com/info/tos. and Confusion: Revisiting the Enforceability of ’Shrinkwrap’ Licenses.eff. Chicago-Kent Intellectual Property Law Society Journal of Intellectual Property. 2005 http://www. Information. Daniel Dedap [19] Contracts.

8.3

College Newspaper Articles

[20] Sealy, Will. “What facebook doesnt tell you.” The Flat Hat, student newspaper of The College of William and Mary. http://flathat.wm.edu/story.php?issue=2005-11-04&type=2&aid=3. Loaded December 14, 2005. [21] Zelkowitz, troversy.” Rachel. The “ Emory ‘Wasted’ Wheel Facebook Online, group November causes 22, con­ 2005. Loaded

http://www.emorywheel.com/vnews/display.v/ART/2005/11/22/43829c13eb4d8. December 14, 2005. [22] “Public Safety considers Facebook and a valuable tool for party

busts.” 4,

The 2005.

Colonnade,

Georgia

College

State

University.

November

http://www.gcsunade.com/media/paper299/news/2005/11/04/CampusNews/ Public.Safety.Considers.Facebook.A.Valuable.Tool.For.Party.Busts-1046210.shtmlLoaded December 14, 2005. [23] Paquin, Christine. “Administrators advise caution in Facebook postings” The Dartmouth, November 21, 2005. http://www.thedartmouth.com/article.php?aid=2005112101070. Loaded December 14, 2005. [24] “Facebook could invite more than your friends.” Oregon Daily Emerald, November 28, 2005. http://www.dailyemerald.com/vnews/display.v/ART/2005/11/28/438aca3122ba8. Loaded December 14, 2005. [25] Montermini, Fabrizio. “Facebook Raises Privacy Concerns.” The Trinity Tripod, Novem­ ber 29, 2005. http://www.trinitytripod.com/media/paper520/news/2005/11/29/News/ Facebook.Raises.Privacy.Concerns-1115345.shtml. Loaded December 14, 2005. [26] Martucci, Brian. “As Facebook grows, more than just friends are watching.” The Mac Weekly, December 9, 2005. http://www.themacweekly.com/article.php?arid=133. Loaded December 14, 2005. [27] Shoffel, olating Jessical. conduct “SUNY-ESF codes.” The warns Daily students of Facebook December content 2, vi­ 2005.

Orange,

http://www.dailyorange.com/media/paper522/news/2005/12/02/News/ SunyEsf.Warns.Students.Of.Facebook.Content.Violating.Conduct.Codes-1119079.shtml. Loaded December 14, 2005. [28] Woo, Stu. “The Facebook: not just for students.” The Brown Daily Herald, November 3, 2005. http://www.browndailyherald.com/media/paper472/news/2005/11/03/CampusWatch/ TheFacebook.Not.Just.For.Students-1044229.shtml. Loaded December 14, 2005. 37

[29] Walker, Rachel. “UTC cops check Facebook for underage drinkers.” The Echo online, Novem­ ber 10, 2005. http://www.utcecho.com/media/paper483/news/2005/11/10/Culture/UtcCops.Check.Facebook.For.Underage.Drinkers-1053481.shtml. Loaded December 14, 2005. [30] McIntyre, book land Luke. you in “FAILURE jail.” TO The COMMUNICATE: Carolinian Online, Don’t November let 8, Loaded Face2005. De­

http://www.carolinianonline.com/media/paper301/news/2005/11/08/Opinions/ Failure.To.Communicate.Dont.Let.Facebook.Land.You.In.Jail-1048102.shtml. cember 14, 2005. [31] Kramer, Melody Joy. “Forfeiting privacy, one post at a time.” The Daily Pennsylvanian, Novem­ ber 30, 2005. http://www.dailypennsylvanian.com/vnews/display.v/ART/438d34a676ff6. Loaded December 14, 2005. [32] Wang, Jiao. “Facebook Profiles Become Handy Tool for Recruiters.” The Tech, December 13, 2005. http://www-tech.mit.edu/V125/N61/facebook.html. Loaded December 14, 2005.

9 Acknowledgements
Harvey and Jose would like to thank Hal Abelson, Danny Weitzner, Keith Winstein, and Les Perelman for being available to answer questions and edit a 40-page paper multiple times. We would also like to thank the students that took our survey, and the numerous students that took time to discuss the Facebook with us. We would also like to thank Laura Martini and the rest of EC Second West for putting up with us, and the TEPs who gave us feedback. Without Dan Dedap and Sheeva Azma, this project would not have happened. Finally interviews we conducted provided invaluable background and insight.

9.1

Interview subjects

• Andrew Ryder, Assistant Dean, MIT Residential Life Programs • Sharon Snaggs, Residential Life Associate, MIT • Christopher Varenhorst, MIT Undergraduate • Facebook scraper (name withheld) • Jeff Gassaway, University of New Mexico Security Administrator • Cameron Walker, Fisher College student • Daniel Dedap, NYU alumnus, class of 2005 38

A

Facebook Privacy Policy

[7] This policy is effective as of June 28, 2005. Introduction The Facebook Privacy Policy is designed to assist you in understanding how we

collect and use the personal information that you provide to us and to assist you in making informed decisions when using the Facebook web site located at www.facebook.com (the “Web Site”). The Information We Collect When you visit the Web Site you may provide us with two types of

information: personal information you knowingly choose to disclose that is collected by us and Web Site use information collected by us on an aggregate basis as you and others browse our Web Site. When you register on the Web Site, you provide us with certain personal information, such as your name, your email address, your telephone number, your address, your gender, schools attended and any other personal or preference information that you provide to us. When you enter our Web Site, we collect the user’s browser type and IP address. This information is gathered for all users to the Web Site. In addition, we store certain information from your browser using “cookies.” A cookie is a piece of data stored on the user’s computer tied to information about the user. We use session ID cookies to confirm that users are logged in. These cookies terminate once the users close the browser. We do not use cookies to collect private information from any user. Facebook also collects information about you from other sources, such as newspapers and instant messaging services. This information is gathered regardless of your use of the Web Site. Children Under Age 13 Facebook does not knowingly collect or solicit personal information from

anyone under the age of 13 or allow such persons to register. If you are under 13, please do not send any information about yourself to us – including information like your name, address, telephone number, or e-mail address. No one under age 13 is allowed to provide any personal information or use our public forums. In the event that we learn that we have collected personal information from a child under age 13 without verification of parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us at: info@facebook.com. Children Between the Ages of 13 and 18 Internet. Use of Information Obtained by Facebook When you register on the Web Site, you create your We recommend that minors over the age of 13 ask

their parents for permission before sending any information about themselves to anyone over the

own profile and privacy settings. Your profile information, as well as your name, email and photo, 39

This privacy statement applies solely to information collected by Facebook Web Site. No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings. We use the information about you that we have collected from other sources to supplement your profile unless you specify in your privacy settings that you do not want this to be done. In addition. • If the ownership of all or substantially all of the Facebook business were to change. In this way. please submit a request by clicking here http://mit. such as to send email solici­ tations. your user information would likely be transferred to the new owner. such as subpoenas or court orders. lawyers. Sharing Your Information with Third Parties We may share your information with third parties. our service providers may have access to your personal information for use in connection with these business activities. or others who are using your computer. Facebook is not responsible for the privacy We will make every effort to implement any practices of other web sites. new services we think you may find valuable. occasionally. This information allows 40 . we may share account or other information when we believe it is necessary to comply with law or to protect our interests or property. Links This site may contain links to other websites. In connection with these offerings and business operations. Additionally.are displayed to people in the groups specified in your privacy settings to support the function of the Web Site. choice you make as soon as possible. If you do not want to receive promotional email from Facebook and/or do not want us to share your informa­ tion with third parties for marketing purposes. For example: • We may provide information to service providers to help us bring you the services we offer. Our advertising partners may download cookies to your computer. Doing this allows the advertising network to recognize your computer each time they send you an advertisement. we may use your name and email address to send you notifications regarding the Web Site and. • We may be required to disclose customer information pursuant to lawful requests.php?add=1.com/help. This may include sharing information with other companies. agents or government agencies. including responsible companies with which we have a relationship. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects personally identifiable information. Third Party Advertising Advertisements that appear on the Web Site are delivered to users by our advertising partners. we may use third parties to facilitate our business. they may compile information about where you.facebook. Specifically. saw their advertisements and determine which advertisements are clicked. or in compliance with applicable laws.

If we do this. We reserve the right. at our sole discretion. Information will be updated immediately. The Facebook service is operated by the Facebook network (“Facebook”). It is your responsibility to regularly review these Terms of Use. please visit our Help page http://mit. If you have any questions about the security of Facebook Web Site. or delete portions of these Terms of Use at any time without further notice. Security Facebook takes appropriate precautions to protect our users’ information. modify. Introduction Welcome to the Facebook.php for more information. By using the Facebook web site (the “Web site”) you signify that you have read. 41 . This privacy statement covers the use of cookies by Facebook and does not cover the use of cookies by any of its advertisers.com/help. we request that you do not send private information to us by email. Your continued use of the Web site after any such changes constitutes your acceptance of the new Terms of Use. Contacting the Web Site If you have any questions about this privacy policy. understand and agree to be bound by these Terms of Use (this “Agreement”).facebook. If we do this. please do not use or access Web site. Changing or Removing Information Facebook users may modify or remove any of their personal information at any time by logging into their account. Your account information is located on a secured server behind a firewall.an advertising network to deliver targeted advertisements that they believe will be of most interest to you. an online directory that connects people through net­ works of academic and geographic centers.facebook..com/help. 2005. We therefore encourage you to refer to this policy on an ongoing basis so that you understand our current privacy policy. Changes in Our Privacy Policy We reserve the right to change our privacy policy at any time. to change. If you do not agree to abide by these or any future Terms of Use. we will post the changes to this policy on this page and will indicate at the top of this page the policy’s effective date. we will post the changes to these Terms of Use on this page and will indicate at the top of this page the Terms of Use’s effective date. Because email is not recognized as a secure medium of communication. Facebook does not have access to or control of the cookies that may be placed by the third party advertisers. add. B Facebook Terms Of Service [8] These Terms of Use are effective as of October 3.php for more information. please visit our Help page http://mit.

or contain libelous. or falsely state or otherwise misrepresent yourself or your affiliation with any person or entity. or racially.” “spam.Eligibility You must be thirteen years of age or older to register as a member of Facebook or use the Web site. Proprietary Rights in Content on Facebook All content on Web site. and their selection and arrangement (the “Content”). including but not limited to design. • intimidate or harass another. transmit or otherwise make available any unsolicited or unauthorized advertising. files or programs designed to interrupt. hateful. at any time. By using the Web site. ethnically or otherwise objectionable. harassing.” or any other form of solicitation. non-commercial use only. disable. overburden or impair Web site. privacy or other personal or proprietary rights. You further agree that you may not use Web site in any unlawful manner or in any other manner that could damage. • upload. vulgar. service or system without authorization from Web site. • use or attempt to use another’s account. Membership in the Service is void where prohibited. Additionally. email. post. “junk mail. obscene. you are not allowed to register and become a member of Facebook or access Facebook content. features and services on the Web Site. promotional materials. other files. Member Conduct You understand that the Web site is available for your personal. abusive. You further agree not to harvest or collect email addresses or other contact information of members from the Web site by electronic or other means for the purposes of sending unsolicited emails or other unso­ licited communications. • impersonate any person or entity.” “pyramid schemes.” “chain letters. You agree that no materials of any kind submitted through your account will violate or infringe upon the rights of any third party. Facebook may terminate your membership for any reason. post. are 42 . If you are under the age of 13. including copyright. • upload. graphics. or create a false identity on this website. text. email. post. destroy or limit the functionality of any computer software or hardware or telecommunications equipment. you agree not to use the Web site to: • upload. email. you agree not to use automated scripts to collect information from the Web site or for any other purpose. trademark. threatening. transmit or otherwise make available any content that we deem to be harmful. defamatory or otherwise unlawful material. you represent and warrant that you agree to and to abide by all of the terms and conditions of this Agreement. transmit or otherwise make available any material that contains software viruses or any other computer code. In addition.

please contact us at copyright@facebook. downloaded. without Web site’s prior written permission. All trademarks. a description of where the material that you claim is infringing is located on the Web site. or sold in any form or by any means. in whole or in part. Intranet or Extranet site or incorporate the information in any other database or compilation. Member Content Posted on the Site You are solely responsible for the content. Any other use of the Content is strictly prohibited. If you choose to remove your Member Content. You may download or print a copy of any portion of the Content solely for your personal. telephone number. If you believe your work has been copied in a way that constitutes copyright infringement or are aware of any infringing material on the Web site. non-commercial use. By posting Member Content to any part of the Web site. your address. “post”) on the Service. without the prior written permission of Facebook. Copyright Policy Facebook respects the intellectual property rights of others. distributed. The Content may not be modified. harm. and email address. trade dress and service marks on the Web site are either trademarks or registered trademarks of Facebook or its licensors and may not be copied. 43 .the proprietary property of Facebook or its licensors. a statement by you. photos or profiles Content that you publish or display (hereinafter. or used. display. worldwide license (with the right to sublicense) to use. You may remove your Member Content from the site at any time. and you represent and warrant that you have the right to grant. a description of the copyrighted work that you claim has been infringed. copy. such information and content. perpetual. or transmit to other Members (collectively the “Member Content”). provided that you keep all copyright or other proprietary notices intact. a written statement by you that you have a good faith belief that the disputed use is not authorized by the copyright owner. reformat. excerpt (in whole or in part) and distribute such information and content and to prepare derivative works of. and to grant and authorize sublicenses of the foregoing. transferable. reproduced.com and provide us with the following information: an electronic or physical signature of the person authorized to act on behalf of the owner of the copyright interest. All rights reserved. in whole or in part. non-exclusive. or incorporate into other works. translate. logos. the license granted above will automatically expire. its agent. you automatically grant. or threaten the safety of Members. posted. that the above information in your notice is accurate and that you are the copyright owner or authorized to act on the copyright owner’s behalf. made under penalty of perjury. republished. or the law. framed. to Facebook an irrevocable. or that might violate the rights. transmitted. perform. imitated. You understand and agree that Facebook may review and delete or remove any Member Content that in the sole judgment of Facebook violate this Agreement or which might be offensive. fully paid. displayed. illegal. You may not republish Content on any Internet. copied.

accuracy or opinions express in such web sites. of any user of the Web site or Member of the Service. whether caused by users of the Web site. Disclaimers Facebook is not responsible for any incorrect or inaccurate Content posted on the Web site or in connection with the Service. interruption. computer online sys­ tems. If you decide to leave Facebook Web site and access these third-party sites. Facebook assumes no responsibility for any error. communications line failure. defect. omission. whether online or offline. computer equipment. Facebook reserves the right. failure of email or players on account of technical problems or traffic congestion on the Internet or at any web site or combination thereof. delay in operation or transmission. THE WEB SITE. FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. The Service may be temporarily unavailable from time to time for maintenance or other reasons. Members or by any of the equipment or programming associated with or utilized in the Service. or alteration of. Facebook is not responsible for the conduct. Facebook is not re­ sponsible for the content. MERCHANTABILITY. monitored or checked for accuracy or completeness by us. Privacy Facebook cares about the privacy of its members. including injury or damage to users and/or Members or to any other person’s computer related to or resulting from participating or downloading materials in connection with the Web and/or in connection with the Service. THE SERVICE AND THE CONTENT ARE PROVIDED “AS-IS” AND FACEBOOK DISCLAIMS ANY AND ALL WAR­ RANTIES. whether online or offline. servers or providers. and such web sites are not investigated. deletion. theft or destruction or unau­ thorized access to. 44 . Member Disputes Members. FACEBOOK CANNOT GUARANTEE AND DOES NOT PROMISE ANY SPECIFIC RESULTS FROM USE OF THE WEB SITE AND/OR THE SERVICE. you do so at your own risk. Inclusion of any linked web site on Facebook Web site does not imply approval or endorsement of the linked web site by Facebook. WHETHER EXPRESS OR IMPLIED. including personal injury or death. Facebook is not responsible for any problems or technical malfunction of any telephone network or lines. to monitor disputes between you and other Privacy Policy. INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF TITLE. software. or any interactions be­ tween users of the Web site. Under no circumstances will Facebook be responsible for any loss or damage.Links to other websites The Web site contains links to other web sites. resulting from anyone’s use of the Web site or the Service. user or Member communications. but has no obligation. any Content posted on the Web site or transmitted to Members. Click here to view the Web site’s You are solely responsible for your interactions with other Facebook Members.

including reasonable attorney’s fees. If any provision of this Agreement is held invalid. its subsidiaries. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN. EVEN IF FACEBOOK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Governing Law and Venue If there is any dispute about or involving the Web site and/or the Service. affiliates.Limitation on Liability EXCEPT IN JURISDICTIONS WHERE SUCH PROVISIONS ARE RE­ STRICTED. or demand. Other These Terms of Use constitute the entire agreement between you and Facebook regarding the use of the Web site and/or the Service. agents. C Facebook “Spider” Code: Acquisition and Processing The following code extracts all Facebook accounts from a given school that are accessible given the user account provided. liability. made by any third party due to or arising out of your use of the Service in violation of this Agreement or your violation of any law or the rights of a third party. FACEBOOK’S LIABILITY TO YOU FOR ANY CAUSE WHATSOEVER. harmless from any loss. superseding any prior agreements between you and Facebook relating to your use of the Web site or the Service. California and waive all defenses of lack of personal jurisdiction and forum non conveniens. The failure of Facebook to exercise or enforce any right or provision of these Terms of Use shall not constitute a waiver of such right or provision. and other partners and employees. claim. 45 . IF ANY. You also agree to the exclusive jurisdiction and venue of the courts of the state and federal courts of Santa Clara County. you agree that the dispute will be governed by the laws of the State of California without regard to its conflict of law provisions. IN NO EVENT WILL FACEBOOK BE LIABLE TO YOU OR ANY THIRD PERSON FOR ANY INDIRECT. officers. Questions Please visit our Help page for more information. Any cause of action by you with respect to the Web site and/or the Service must be instituted within one (1) year after the cause of action arose or be forever waived and barred. BY YOU TO FACEBOOK FOR THE SERVICE DURING THE TERM OF MEMBERSHIP. CONSEQUENTIAL. the remainder of this Agreement shall continue in full force and effect. INCIDENTAL. SPECIAL OR PUNITIVE DAMAGES. WILL AT ALL TIMES BE LIMITED TO THE AMOUNT PAID. AND REGARDLESS OF THE FORM OF THE ACTION. INCLUDING ALSO LOST PROFITS ARISING FROM YOUR USE OF THE WEB SITE OR THE SERVICE. Indemnity You agree to indemnify and hold Facebook. EXEMPLARY.

12) Gecko/20050915 Firefox/1.com/login.*?>’) def make_search(str): lam = lambda data: re. "Favorite Movies".C. Windows NT 5. "Hometown". U.sub("".compile(’<. data) return lam def strip_html(data): return htmltag.7. "Status". "Sex". "Favorite Books"] 46 .facebook.1.1.txt http://SCHOOL. data) attrib=["Name". "Interests". "Site". "Favorite Music".*" % str.1 Data Downloading BASH Shell Script wget --cookies=on --user-agent=’Mozilla/5.7’ --save-cookies=cookies.php?id=$COUNT done COUNT = USERID_LOW .0. "Screenname".php?email=LOGIN&pass=PASS’ for (( do wget --cookies=on --wait=12 --random-wait --user-agent=’Mozilla/5. "Concentration".facebook.7. "High School". "Residence".search(".com/profile.0 (Windows. "Mobile".0 (Windows.txt ’http://www. "School".12) Gecko/20050915 Firefox/1. en-US. U.2 Facebook Profile to Tab Separated Variable Python Script import string import sys import re import os htmltag = re. COUNT++ )) C.txt --keep-session-cookies --load-cookies=cookies. Windows NT 5. COUNT <= USERID_HIGH.0.*%s\:. en-US.7’ --save-cookies=cookies. "Mailbox".txt --keep-session-cookies --load-cookies=cookies. rv:1. "Member Since". rv:1. "Last Update". "Clubs and Jobs".

" ")[0][2:] except IndexError: friends= "" try: data = string. "&")[0] for f in fields: 47 . "category_id=2")[1] friends = string.split(field[0]. data) if field == []: fields[x] = "" else: fields[x] = string. "<!-.lambdas = map(make_search.split(data. "Groups")) == 2: data = string.stderr.split(friendstr.userprofile -->")[0] except IndexError: sys.split(data.split(data. "r") data = f.split(data. "<h2>Information</h2>")[1] data = string.split(fields[x]. attrib) def process(fname): f = open(fname.split(data. ":")[1] if attrib[x] == "Name": fields[x] = string.read() dbak = data try: friendstr = string.split(data.write("Error! %s" % fname) data = dbak if len(string. "Groups")[0] data = string. data) fields=[""]*len(attrib) for x in range(len(attrib)): field = filter(lambdas[x]. "\n") data = map(strip_html.

argv[1]) val = string.3 C. "October":"10". "August":"08".py col val # afterdate prints all records whose column #col is after val # val is of the form yyyymmdd col = int(sys.argv[1]+"/"+ f) C.argv[1]): if f[:5] == "profi": process(sys. "June":"06". "September":"09". "\t".print f.argv[2]) s = "foo" month={"January":"01". "March":"03". "February":"02".1 Data Analysis Scripts The after date script. "November":"11". import string import sys # usage: python afterdate. "May":"05". "April":"04". print friends for f in os.listdir(sys.} while True: 48 . "July":"07".3. "December":"12".strip(sys.

month[fs[0]].strip(string.write("PROCESS ERROR\n") continue fs = string.stderr. "\t")[col]) except IndexError: sys. import string import os import sys vals=[0]*150 col = int(sys.3.2 The bin count script.argv[1]) bin = int(sys.split(s.argv[2]) s = "foo" while True: try: s = raw_input() except EOFError: break try: 49 .split(field) if len(field) > 2: date = int("%s%s%02i" % (fs[2].argv[2]): print s C.try: s = raw_input() except EOFError: break try: field = string. int(fs[1][:-1]))) if date> int(sys.

split(s.argv[2]) == 1: for k in vals: print k C. then February 2004.field = string.3. etc. import string import sys # usage: bindate col # col = number of column to use MUST BE A DATE COLUMN # bindate prints the number of records where # column #col = January 2004. col = int(sys. field try: vals[fval/10] += 1 except IndexError: print len(vals) print "ERROR:" + str(fval) if int(sys.3 The bin date script. "\t")[col] except IndexError: print "PROCESS ERROR" continue if field == "one": field = "1" if field == "": continue try: fval = int(field) except ValueError: print "ERROR:".argv[1]) 50 .

"August":"08". "February":"02".strip(string. "May":"05".} year={ "2004": 0. "December":"12". "September":"09".write("PROCESS ERROR\n") continue fs = string. "March":"03". "October":"10". "November":"11". "July":"07".split(s.split(field) if len(field) > 2: bins[year[fs[2]]*12 + int(month[fs[0]])-1] += 1 51 .stderr. "2005": 1} bins=[0]*24 while True: try: s = raw_input() except EOFError: break try: field = string. "April":"04". "\t")[col]) except IndexError: sys.s = "foo" month={"January":"01". "June":"06".

for x in range(len(bins)): y = str(2004 + x/12) m = str((x % 12) + 1) print bins[x] # C. "\t")[col] except IndexError: print "PROCESS ERROR" continue 52 .3.split(s. bins[x]) The count number script.argv[1]) s = "foo" n = 0 while True: try: s = raw_input() except EOFError: break try: field = string. y. import string import os import sys # countnumber col printall # Countnumber reads from stdin and generates a histogram of the column # col = the column to read from # printall = whether to print each individual value vals={} col = int(sys.4 print "%s/%s\t%i" % (m.

if n % 500 == 0: print field if field in vals. vals[" "] print "NOTBLANK : ".vals[" "] import string import sys # usage: python filterfield.keys(): print "BLANK : ". n C.3. do nothing col = int(sys.5 The filter field script. print this record # otherwise.argv[2]) s = "foo" while True: try: s = raw_input() except EOFError: break 53 . vals[k] if " " in vals.argv[2]) == 1: for k in vals. n .keys(): print k. print "TOTAL : ".argv[1]) val = string. "\t".strip(sys.py col val # if col is equal to val.keys(): vals[field]+=1 else: vals[field] = 1 n += 1 if int(sys.

6 The greater than script.strip(string. "\t")[col] except IndexError: print "PROCESS ERROR" continue if field == "one": field = "1" if field == "": 54 .3.stderr.split(s.split(s.argv[2]) s = "foo" while True: try: s = raw_input() except EOFError: break try: field = string.try: field = string. import string import os import sys vals=[0]*150 col = int(sys.argv[1]) val = int(sys. "\t")[col]) except IndexError: sys.write("PROCESS ERROR\n") continue if field == val: print s C.

continue try: fval = int(field) except ValueError: print "ERROR:". field try: if fval > val: print s except IndexError: print len(vals) print "ERROR:" + str(fval) 55 .

we included the numerical results of the numerous analyses we performed on the data we collected from users and directly from Facebook. of these figures earlier. 56 . This data is useful alone in looking for trends and correlations that did not find their way into this paper. but not all. We referred to many.Which gender describes you best? n=419 Number No Response Male Female 9 186 224 Percentage 3% 44% 53% Figure 11: Gender of survey takers D Supplemental Data In this section.

76% 0.43% 0.24% 0. 6 Phi Delta Theta Phi Kappa Sigma Phi Kappa Theta Pi Lambda Phi Pika Random Hall Senior House Sidney-Pacific Sigma Alpha Epsilon Sigma Chi Sigma Kappa Sigma Nu Simmons Hall Tau Epsilon Phi Theta Xi WILG Zeta Beta Tau Number Responding 45 1 1 4 4 1 2 87 2 107 1 2 2 9 2 3 4 1 2 1 1 1 1 42 6 1 1 1 1 1 63 7 1 10 1 Percentage 10.24% 0.95% 0.39% 0.95% 0.24% 0. 57 .48% 25.48% 0.24% 0.72% 0.48% 0.48% 2.54% 0.48% 0.24% Figure 12: Chart of survey takers over dorms and ILGs.15% 0.24% 0.48% 20.24% 2.24% 0.24% 0.24% 0.95% 0.04% 1.24% 10.24% 0.24% 0.24% 15.24% 0.24% 0.74% 0.02% 1.67% 0.Which best describes your living arrangements? n=419 House No Response Alpha Chi Omega Alpha Epsilon Phi Alpha Phi Baker House Beta Theta Pi Bexley Hall Burton Conner House Chi Phi East Campus Kappa Alpha Theta Kappa Sigma Lambda Chi Alpha MacGregor House McCormick Hall New House Next House No.

39% 90.1% 3.34% Figure 14: Status of survey takers 58 .69% 3.Figure 13: Distribution of survey takers over dorms and ILGs. What is your student status? n=419 Number No Answer Undergrad Grad Student Alumnus 10 380 13 14 Percentage 2.

89% Number Male 66 36 27 22 11 Number Female 70 57 37 18 10 Figure 15: Logins per week 59 .Facebook Logins Per Week n=371 Number 1 to 3 4 to 8 9 to 15 20 to 30 31 or more 139 95 64 40 33 Percentage 37.78% 8.25% 10.47% 25.61% 17.

96% 2.95% 37.81% 30.32% 14.12% Males 3 31 54 58 15 4 Females 2 23 62 84 33 2 Figure 16: Number of Friends at MIT 60 .Number of friends n=378 Number 1 to 10 11 to 50 51 to 100 101 to 200 201 to 349 350 or more 5 56 117 143 49 8 Percentage 1.83% 12.

56% 28.34% 11.77% 11.56% Males 2 20 56 72 12 Females 3 23 49 101 28 Figure 17: Percentage of Friends from MIT 61 .76% 46.Percentage of friends from MIT n=372 Number 1-15% 16-33% 34-50% 51-75% 76-100% 5 43 107 174 43 Percentage 1.

45% 7.Number Allowing Strangers To Friend n=383 Number No Yes Sometimes 243 30 110 Percentage 63.72% Males 109 17 44 Females 129 12 65 Figure 18: Analysis of users friending strangers on Facebook 62 .83% 28.

Facebook and My Privacy: Familiarity and Utilization n=419 Number Familiar No Answer No Yes 30 100 289 Males 15 38 133 Females 33 59 152 Number Using 39 234 146 Males 18 111 57 Females 19 119 86 Figure 19: My Privacy. and knoweldge and utilization thereof 63 .

61% 6.56% 31.1% 35.How concerned are you about Facebook and privacy? n=329 Number Not at all Barely Somewhat Quite Very Concerned 76 117 104 20 12 Percentage 23.65% Males 43 43 39 7 7 Females 31 71 64 12 5 Figure 20: Concern for Facebook Privacy 64 .08% 3.

92 % 82.16 % 84. 65 .Reading of Facebook Terms of Service and Privacy Policy n=419 Read TOS? No Answer No Yes 30 353 36 Percentage 7.25 % 8.82 % 10.26 % Figure 21: Most users do not read the policies that regulate their Facebook use.59 % Read PP? 29 347 43 Percentage 6.

05% 33. Familiarity with “My Photo” feature and policies. indicating a guess.53 % 47.16% 11.73 % Figure 22: Users are split on whether or not Facebook can share your information with other companies. n=419 Familiar No Answer No Yes 30 47 342 Percentage 7.Can Facebook Share Information? n=419 Number Responding No Answer No Yes 45 174 200 Percentage 10.62% Can you restrict access? 84 139 196 Percentage 20.22% 81.78% Figure 23: Are you familiar with “My Photo?” Can you restrict access to it? 66 .17% 46.74 % 41.

Does Facebook do an adequate job in protecting your privacy? n=419 Number No Answer No Yes 102 139 177 Percentage 24.24% Males 48 67 70 Females 50 68 106 Figure 24: Users show indifference and approval for Facebook’s security practices.17% 42.34% 33. 67 .

5% 0.5% 10.74% 39.94% 52.07% 0.03% 33.17% 14.89% 10.Distributions Of Facebook User Categories At Four Universities MIT Size Males Females 2003 2004 2005 2006 2007 2008 2009 2010 Other Alumnus/Alumna Faculty Grad Student Staff Student Summer Student Undergraduate 8023 3868 2483 189 539 762 878 948 1016 921 93 2677 2226 76 845 161 4702 10 – 48.72% 9.61% 9.95% 10.59% 16.41% 6.92% 0.18% 49.53% 2.76% 73.63% 10.12% 0.25% 16.16% 33.83% 13.21% 30.55% 0.94% 7.39% 3.82% 12.15% 0.17% 10.46% 4.59% 0. 68 .52% 44.31% NYU 24696 8689 12118 200 961 2643 3353 3850 4012 4076 60 5541 4730 183 1511 187 18055 26 – 35.16% 11.11% – Harvard 17750 7461 5940 876 1351 1605 1657 1710 1785 1583 132 7051 7010 208 1933 438 8085 27 – 42.02% 26.06% 8.37% 27.) Figure 25: Summary of Facebook usage statistics at four schools: the Massachusetts Institute of Technology.95% 2.51% 0. User Distribution: Kinds of Users at each school.83% 15.27% 0. University of Oklahoma.7% 13.01% 58.81% 25.94% 11.66% 11. New York University. and Harvard University.37% 0.24% 22.34% 9.15% – Number Reporting Gender: Distribution Class Distribution: Graduating class of year indicated.27% 0.26% 15.74% 6.12% – Oklahoma 19910 8863 8814 78 630 2224 2952 3039 3151 2690 162 4984 2662 81 1312 188 10406 4 5239 44.47% 45.61% 0.44% 19.75% 0. (“Undergraduate” unique to OU.11% 0.03% 13.89% 2.48% 1.36% 6.49% 1.58% 15.04% 9.81% 3. self reported.72% 39.

9 % 49.1 % 93.Willingness to Share Personal Information at each school.32 % 66.25 % Harvard 4260 7270 8186 8582 8607 8758 9116 10694 11271 13401 Harvard 7466 7613 5965 3100 6661 5452 6457 6295 6293 8497 9391 79.34 % 65.07 % 63.71 % 83.27 % 73.5 % 81.7 % 50.89 % 100 % 74. showing all users and only those who have updated their profiles on or after October 1.88 % 70.78 % 40.76 % 67.48 % 88.42 % 13.69 % 65.96 % 46.53 % 100 % NYU 11582 18359 16157 3443 16473 12426 16470 16218 15427 20807 NYU 9601 14341 12627 2698 13047 9839 13091 16387 12216 15479 16387 58.51 % 77. All Students Residence High School Screen Name Mobile Interests Clubs/Jobs Music Movies Books Gender After 10/1/05 Residence High School Screen Name Mobile Interests Clubs/Jobs Music Movies Books Gender Total MIT 5172 5252 4341 1700 4453 3400 4236 4084 3956 6351 MIT 3309 3433 2890 1159 2996 2373 2894 2808 2710 3817 4100 80.15 % 78.35 % 48.62 % 60.24 % 75.12 % 48.62 % 68.19 % 55. at four schools.03 % 67.93 % 58.46 % 65.47 % 84.46 % 100 % 46.05 % 16.9 % 74.5 % 75.11 % 81.25 % 63.55 % 13.93 % 95.94 % 66.5 % Oklahoma Figure 26: Willingness of Facebook users to disclose personal information on the service.34 % 51.52 % 33.59 % 68.01 % 90.49 % 66.71 % 60.5 % 42.55 % 94.73 % 70.1 % 100 % 64.11 % 21.07 % 57.44 % 88.01 % 70.06 % 68.59 % 87.28 % 83.67 % 62.31 % 79.8 % 50.22 % 14.84 % 66. 69 .49 % 49.93 % 84.1 % 86.48 % 100 % 24 % 40.93 % 75.49 % 28.39 % 76.16 % Oklahoma 7190 16133 10860 2637 15099 13170 15608 15255 13626 17677 6316 13841 9396 2228 13075 11562 13564 13251 11848 14906 15603 36.36 % 60. 2005.03 % 54.38 % 52.46 % 79.8 % 74.46 % 54.04 % 79.

14 % 20.67 % 83.55 % 84.3 % 68.58 % 61.9 % 20.37 % 58.2 % 100 % 77.65 % 66.59 % 84.24 % 64.18 % 63.54 % 66.69 % 77.59 % 61.86 % 60.1 % 86. 70 .7 % 50.02 % 64.03 % 76.44 % 59.59 % 100 % Harvard 5804 5479 4224 2461 4680 3770 4572 4439 4410 7461 Harvard 4852 4577 3474 1577 3763 3064 3624 3599 3635 5940 81.Willingness to Share Personal Information at each school.94 % 100 % NYU 4536 7066 6374 1930 6468 4897 6513 6369 5960 8689 NYU 6736 10631 9103 1407 9276 7032 9289 9233 8846 12118 55.19 % 73 % 100 % 52.79 % 73.41 % 100 % 40.35 % 51. by gender.21 % 74.65 % 76.06 % 81.36 % 22.2 % 81.98 % 62.89 % 67. by gender.42 % 100 % 77.96 % 73.2 % 62.29 % 81.5 % 59.28 % 59.71 % 85.53 % 61.36 % 59 % 8.73 % 50.11 % 100 % Oklahoma Figure 27: Willingness of Facebook users to disclose personal information on the service.36 % 74.48 % 26.99 % 69. at four schools.44 % 56.68 % 77.49 % 75.97 % 88.59 % 87.81 % 73.61 % 32.01 % 60.61 % 76.44 % 56.05 % 58.99 % 29.55 % 58.95 % 90.12 % 11.01 % 100 % Oklahoma 3377 7661 5309 1859 7888 6168 7471 7223 6418 8863 3609 7964 5200 710 7211 6497 7540 7447 6693 8814 38.73 % 75.36 % 64.5 % 72.32 % 73.55 % 63.89 % 53. Males Residence High School Screen Name Mobile Interests Clubs/Jobs Music Movies Books Gender Females Residence High School Screen Name Mobile Interests Clubs/Jobs Music Movies Books Gender MIT 3005 2979 2514 1147 2580 1941 2470 2335 2244 3868 MIT 2003 2083 1667 510 1661 1325 1595 1594 1550 2483 80.

45 % 1.19 % 4.05 % 11.69 % 0. 05 Sep 1.18 % 3. 04 Dec 1. 04 Apr 1.95 % 2. 05 Feb 1.78 % 2.67 % 3.44 % 2. 04 Jul 1.71 % 4.11 % 0% 0.88 % 0.71 % 3.33 % 0.82 % 100 % Update 0 0 0 0 18 22 39 51 60 67 62 99 94 101 185 250 252 482 907 1638 2493 6820 0% 0% 0% 0% 0.39 % 0.67 % 2009 Join 0 0 0 1 4 2 1 1 0 3 2 1 1 5 322 211 142 155 44 22 4 921 0% 0% 0% 0.9 % 2.37 % 1.42 % 2.48 % Figure 28: Facebook usage data for the Massachusetts Institute of Technology.65 % 14.26 % 0.05 % 2.38 % 1.99 % 2.91 % 15.91 % 1. 05 Total Join 1087 879 601 329 340 392 403 274 240 230 245 226 196 184 515 400 336 378 335 285 146 8021 13.49 % 0.24 % 4.2 % 1.87 % 3.43 % 0.22 % 1.11 % 0.1 % 4.22 % 0.98 % 0.49 % 4.11 % 0. 04 Aug 1.3 % 24.74 % 2.55 % 10.22 % 1.07 % 13.82 % 2.49 % 0.55 % 1.7 % 7. 04 Sep 1.9 % 3.03 % 2007 Join 320 195 83 21 18 37 27 26 20 21 27 21 14 12 13 15 11 12 24 21 10 948 33.89 % 9.57 % 8.89 % 1.49 % 19.75 % 0.43 % 11. 04 Nov 1. 05 Oct 1.32 % 0.96 % 22. 05 Aug 1. 04 May 1.57 % 0.42 % 16.22 % 0. 05 Jun 1.85 % 2.89 % 5.76 % 2. 05 Nov 1.55 % 85. 05 Jul 1. 04 Jan 1. 04 Jun 1.11 % 0.27 % 1.58 % 1. 05 Apr 1.02 % 3.07 % 0.48 % 2.3 % 0.3 % 2.69 % 0.83 % 4.22 % 1. 05 May 1.16 % 1.02 % 36.3 % 12.98 % 0. 05 Mar 1.29 % 6. 71 .22 % 2.27 % 2.11 % 0.54 % 34.48 % 1.When Users Join And Update Facebook at MIT Month Of Mar 1.85 % 2.11 % 2.99 % 4.24 % 6.38 % 1.96 % 7.57 % 0.82 % 2008 Join 3 9 98 143 198 196 165 64 30 21 5 10 9 11 7 5 2 14 16 7 3 1016 0.53 % 2.29 % 16.07 % 19.08 % 0.76 % 20.42 % 4. 04 Oct 1.

81 % 2.55 % 5.73 % 4. 04 Sep 1. 05 Jul 1.18 % 5. 05 Feb 1.25 % 3.65 % 0.01 % 3.89 % 0.25 % 2.65 % 13.52 % 4.63 % 2.36 % 26.78 % 13.09 % 4.03 % 0.71 % 5.28 % 1.56 % 13.52 % Figure 29: Facebook usage data for the University of Oklahoma.2 % 0.29 % 15.2 % 6. 05 Nov 1.63 % 3. 05 Jun 1.16 % 10.82 % 65. 04 Oct 1.14 % 0.46 % 2.49 % 1.11 % 0. 05 Apr 1.36 % 0.33 % 4.51 % 0.98 % 7.01 % 2. 05 Oct 1.32 % 4.When Users Join And Update Facebook at U.89 % 93.44 % 1.92 % 2007 Join 1 141 254 813 458 218 208 107 122 103 71 75 127 174 130 37 3039 0.89 % 1.22 % 5.84 % 3.64 % 8.03 % 34.78 % 0.16 % 4.97 % 5. 72 .02 % 6. 05 May 1.25 % 4.85 % 100 % Update 0 5 4 38 79 68 95 122 151 223 179 274 564 1242 3329 12311 18684 0% 0.39 % 2.61 % 7.16 % 29.38 % 3.62 % 8.73 % 3.83 % 15.17 % 6.84 % 2009 Join 0 3 3 24 21 24 40 37 97 196 414 650 805 259 96 21 2690 0% 0.39 % 24.28 % 2008 Join 0 131 316 1089 432 188 183 86 109 83 71 73 131 134 99 26 3151 0% 4.93 % 9.86 % 19. 05 Aug 1.65 % 17.47 % 4. 04 Nov 1.03 % 4.2 % 5.47 % 3. 05 Total Join 1 448 966 3908 2723 1388 1411 836 1008 862 905 1117 1631 1237 1083 369 19893 0.02 % 0.19 % 0. 04 Jan 1.07 % 7.81 % 1. 04 Dec 1. 05 Mar 1.11 % 0.34 % 2.22 % 15. 05 Sep 1.57 % 0.42 % 0.75 % 15.69 % 6.07 % 4. Oklahoma Month Of Aug 1.96 % 1.

12 % 0.31 % 2.95 % 5. We strongly recommend that Facebook read and consider this valuable user feedback.05 % 0% 4.69 % 0. Of 441 respondents.03 % 5.24 % 0.56 % 3.25 % 2009 Join 0 5 3 1 1 3 1 3 4 3 2 0 179 429 839 850 800 621 251 69 12 4076 0% 0.44 % 0. Facebook is not a tool of big brother.7 % 13.84 % 0.88 % 3.04 % 33.56 % 2.9 % 2.11 % 0.29 % 16.49 % 8.72 % 0.9 % 0.05 % 1.85 % 19. 05 Jun 1.07 % 0.01 % 3. 05 Jul 1.When Users Join And Update Facebook at NYU Month Of Mar 1.45 % 5.64 % 1.53 % 100 % Update 0 0 0 3 18 24 54 98 143 161 169 177 222 278 477 480 526 998 1923 4776 11686 22213 0% 0% 0% 0.53 % 20.63 % 15. 04 May 1.52 % 5.02 % 0.1 User Feedback • Facebook doesn’t really secure your data.24 % 6.73 % 14.43 % 2. all of this information is readily available to anyone will to put 15 minutes into stalking a person. but then again you’re putting it up for the world to see.15 % 2.66 % 21.95 % 1.05 % 4.65 % 5.62 % 0. 04 Nov 1.87 % 3. 73 .13 % 1.5 % 1.39 % 10.25 % 2.64 % 3. 04 Jun 1. 04 Sep 1. All included feedback results are as entered by the users. 05 Sep 1. 04 Aug 1.16 % 2.15 % 1.34 % 9.01 % 0.5 % 52.69 % 0.11 % 6.81 % 3. E Selected Survey Comments The paper and web form survey we gave to users provided space for user feedback. 05 Total Join 667 3350 1868 785 968 1509 1672 1396 1236 958 813 692 769 1019 1489 1319 1248 1187 955 664 131 24695 2. 04 Jan 1.29 % 15.37 % 4. 04 Apr 1. 04 Dec 1.57 % 7..8 % 3.85 % 18. 04 Oct 1. 129 (29%) found the need to tell us their thoughts. 05 Feb 1.61 % 89.07 % 0.51 % Figure 30: Facebook usage data for New York University.92 % 6.07 % 0.43 % 5.3 % 2.43 % 8.11 % 23. 05 Oct 1. • give me a break. 05 May 1. • I don’t give them much personal data anyway.58 % 5.75 % 3.76 % 0.07 % 0.72 % 1.88 % 3.1 % 0. 05 Mar 1.3 % 1.39 % 1.21 % 2.17 % 16.27 % 1.59 % 2008 Join 3 18 218 230 566 957 736 382 209 96 69 58 46 52 82 60 51 71 65 36 7 4012 0.08 % 0. 05 Apr 1.78 % 1.77 % 1.04 % 1.13 % 6.87 % 2.69 % 2.16 % 1.8 % 1% 1.77 % 5.02 % 0.18 % 3.95 % 2007 Join 348 1287 338 75 72 138 229 217 142 111 132 82 63 73 89 79 60 106 127 71 11 3850 9.. 05 Nov 1. E. 05 Aug 1.29 % 2.11 % 4. 04 Jul 1.45 % 1. The feedback we received was insightful.34 % 5.02 % 0.64 % 0.07 % 0.58 % 20.

67 % 3.14 % 2.39 % 0. 05 Sep 1. • I think people need to be aware that anything they put on Facebook is public domain. 05 Oct 1. 05 Apr 1.35 % 3. 05 May 1.57 % 8.23 % 2.05 % 2.87 % 1. • I think you should have to approve a tagged pictured before it goes up rather than having to check periodically to see if any pictures are not something you want up.29 % 2007 Join 1065 80 71 31 16 10 38 33 32 32 26 19 28 11 13 18 32 21 36 35 37 26 1710 62.93 % 1.When Users Join And Update Facebook at Harvard Month Of Mar 1.5 % 3.34 % 1.44 % 7.36 % 3.02 % 3.63 % 3.92 % 2.49 % 0.64 % 0.08 % 2009 Join 9 4 0 7 3 4 4 1 1 0 4 5 3 2 2 6 930 255 197 115 22 9 1583 0.78 % 1.74 % 1.68 % 4. • I wish I could automatically block all photo “tags” 74 .15 % 10. 04 Sep 1.81 % 81.64 % 0. Even though I’m not sure of the legalities.65 % 2.36 % 2.04 % 1.86 % 1.78 % 0.) • I think that it is primarily the users’ responsibility to be careful what is placed up on the facebook. 05 Aug 1. I don’t put information up that is too personal (phone numbers.87 % 1.15 % 1.54 % 11.87 % 1. 04 Jul 1.11 % 2.12 % 3. 05 Mar 1.26 % 1.66 % 2008 Join 21 14 9 298 206 204 431 195 51 27 19 22 15 19 14 24 31 25 47 71 37 5 1785 1. 05 Jun 1.06 % 0% 0.25 % 0.06 % 1.94 % 0.76 % 1.15 % 2. • I dont really care about my privacy on the facebook because i lie in my profile a lot • I set the option that prevents non-friends from seeing my cell phone number. 05 Feb 1.44 % 0. 05 Jul 1. etc.25 % 0.06 % 0.83 % 1.77 % 2.21 % 0.57 % 0.19 % 0.8 % 100 % Update 0 0 0 0 2 30 52 70 110 145 138 173 192 209 237 382 480 462 840 1419 2887 6564 14392 0% 0% 0% 0% 0.94 % Figure 31: Facebook usage data for Harvard University.01 % 0.22 % 1. 05 Dec 1.27 % 1.43 % 24.51 % 1. 04 Jan 1.22 % 5.58 % 2.83 % 3.38 % 58.13 % 0.34 % 1.52 % 1.11 % 12. 05 Total Join 5698 1387 698 850 491 410 711 556 387 394 380 417 402 324 285 346 1261 594 620 636 538 319 17704 32.69 % 11.75 % 16.13 % 0.81 % 0. not the other way around.52 % 9. 04 Apr 1. 05 Nov 1.46 % 1.01 % 0.16 % 1.28 % 10.86 % 9. 04 Oct 1. having to untag it and possibly report it.15 % 45. 04 Dec 1.32 % 4.25 % 0.61 % 1.28 % 4.18 % 0.4 % 2.06 % 0.96 % 1.84 % 1.05 % 1.95 % 7. 04 Jun 1.59 % 3.19 % 2.36 % 0.07 % 0.9 % 20.32 % 0. 04 Nov 1. 04 Aug 1.98 % 2.23 % 2.77 % 1.25 % 0% 0.5 % 16.19 % 0.8 % 2.23 % 0.21 % 1.18 % 7. 04 May 1.94 % 4.11 % 1.

asking permission of the people in it ahead of time etc. that Facebook can share your infor­ mation with third-party companies is somewhat alarming. • There are appropriate options. • When I place information on thefacebook. Not. but only if you take advantage/know about them • They need to support SSL. • To clarify my privacy concerns. Barely. gender. 75 . Somewhat. etc. the my photo is nice but needs a seurity on it as well . I am even more careful about posting information (such as my sexuality) that I might not want acquaintances from high school asking about.such as your name. Very. especially since users other than yourself can “tag” you in their photos. but I don’t place it on thefacebook. .• it is hard to tell whether ppl take facebook seriously or goof off with it. plus an additional question: “ How concerned are you about the privacy of your data on the Facebook?” Possible answers here were: N/A. Since my peers have such easy access to the data and can be sure it actually belongs to me. Quite. I do so specifically because I want it to be in the public domain. but there is an option to request that your information is not shared with third-parties. F Paper Survey The paper survey follows. I put the burden of protecting my privacy on myself via posting responsibly. The web form survey asked the same questions. I treat Facebook like any other open internet forum. There is obviously information that I would like to keep private. and filter things through the concern that anyone may view the information. age. • Since you willingly submit information to Facebook . Basically. not on Facebook via restricting access to what I choose to post. • what i think is interesting is that third parties can post photos of you and link them to you and it is unclear to me if you have any control over that or who can view those. • the photo feature is highly questionable.you should be fully aware that practically anyone from your school can view your personal information if you do not change your privacy settings.

Facebook Privacy Study: Survey FR E E C A N D Y I structions: Pl n ease circl your answ ers honestl e y. ..... 15...D oes Facebook do an adequate j in securing your personaldata?N O ob YE S YE S YE S YE S YE S YE S YE S Pl ease use the back ofthis f orm to m ake any additionalcom m ents you m ay have.. D o you ever f riend peopl w hom you have never m et in person? e N EVER SO M E TI E S M A LW A YS 9. .....I H O U SI G M T N O TH E R 4.You m ay skip any question you do not w ish to answ er..Pl ease D O N O T w rite nam e.... ... .N 16. .. D o you currentl have a Facebook account on w w w .. N O s ul ?..H ave you ever read Facebook' Term s ofService in f l . .... A re you f il w ith Facebook' “M y Privacy” f am iar s eature. . ... W hich gender describes you best? ( ease circl one) . ... M A LE pl e .. A pproxim atel how m any Facebook f y riends do you have f rom M I T? 110 1150 51100 101200 200350 > 350 7.A re you f il w ith Facebook' “M y Photo” f am iar s eature?... ... .or other contact inf orm ation on this f orm .. ... NO YE S 10.. 12.C an Facebook share your inf orm ation w ith other com panies?. y f com ? N O – D id you ever? NO YE S D O N ' K N O W /FO R G O T T AU G SE P OCT NOV D EC YE S – W hen did you create your account? J N FE B A 2003 M AR A PR 2004 M AY J N U 2005 J L U 5. W hich category describes you best? ( circl one) e U N D E R G R A D U A TE FA C U LTY G R A D STU D E N T STA FF PO STD O C O TH E R FE M A LE 3...that l ets you controlw ho m ay view your prof e?... 2..ail m ... N O s icy ul ?.e...C an you prevent other Facebook users f rom seeing your photos?.... 1. . .. O .. W hich best describes your current l iving situation? D O R M I R Y: ( ease specif TO pl y) FSI : ( ease specif LG pl y) O FF C A M PU S /N O N . N O ..... . A pproxim atel w hat percentage ofal y lofyour f riends are f rom M I T? 015% 1633% 3450% 5075% 75100% 8.D o you use the “M y Privacy” f eature to controlw ho m ay view your prof e? il NO 11... ..... . . .......H ave you ever read Facebook' Privacy Pol in f l .. acebook.. N O . ... 14. 13... . ..... . il .. 76 TH A N K YO U ! ... ..... . . ... ...... ... A pproxim atel how m any tim es a w eek do you l in to the Facebook? y og 0 13 48 915 2030 31+ D O N ' KN O W T 6... ... .

Sign up to vote on this title
UsefulNot useful