This paper explores how 20–something Facebook users understand and navigate privacy concerns. Based on a year–long ethnographic study in Toronto, Canada, this paper looks at how — contrary to many mainstream accounts — younger users do indeed care about protecting and controlling their personal information. However, their concerns revolve around what I call social privacy, rather than the more conventional institutional privacy. This paper also examines the somewhat subversive practices which users engaged in to enhance their own social privacy, and in some cases, violate that of others. Finally, this paper examines some of the reasons that users may continue using the site, despite privacy concerns.
Understanding new privacy concerns
Aliases and weekly wall cleanings
Fake accounts, direct URLs and photo album loopholes
Not your mother’s privacy
Social costs and benefits
Since its launch in 2004, Facebook, one of the world’s most popular social network sites, has received a great deal of criticism for its privacy practices. Indeed, one can argue that Facebook’s very purpose challenges conventional notions of privacy. According to CEO Mark Zuckerberg, Facebook is designed to increase the efficiency and transparency of communication . In practice, this can mean voluntary self–surveillance and full disclosure of a user’s activities to everyone on their Friends  list, from a significant other to a boss to a long lost childhood friend. Moreover, the site’s Terms of Service (ToS) stipulate that people must use their real names, information and identities and only use the service to connect with “real world contacts” (Arrington, 2008). All this personal information, plus a user’s activities, are stored in essentially a huge database, where it can be analyzed, manipulated, systematized, formalized, classified and aggregated. As Ben, one of the study participants stated so aptly: “Facebook makes things that should just have happened in passing totally permanent and public. It’s like the ultimate Air Miles card — it doesn’t just track what and where and when you buy things. It tracks everything.”
To an outsider, sharing personal information on Facebook can seem like ridiculous thing to do. Why would anyone compromise their privacy in such a manner? This question has puzzled both the mass media and academics alike . Often, the answer is related to generational or age differences, since sites like Facebook and MySpace are most popular with youth. For instance, a number of studies that specifically looked at Facebook  have shown how open most students are with their Facebook profiles — having their profiles open to networks, or sharing personal information such as telephone numbers.
This concern about youth sharing their personal information online is not all that new. In 2006 a media–fueled moral panic erupted around youth and MySpace . The panic was largely based on the idea that pedophiles could (and were) using social network sites to sexually “prey” on teens, who, in turn, were seen as putting themselves in harm’s way by sharing far too much personal information on their MySpace profiles (Marwick, 2008; boyd and Jenkins, 2006). Some media commentators argued that today’s young people are exhibitionists with questionable morals who do not appreciate the benefits of privacy , while other academics placed the blame on users, suggesting that users did not care about their privacy because they were ignorant or indifferent (Albrechtslund, 2008). Moreover, the choice to use (or not use) sites like Facebook is often framed as one that is made freely and without consequence, when in reality there can be a high social cost to non–participation .
Understanding new privacy concerns
In an attempt to better understand how Facebook users (especially those under 30) understood privacy in the age of Facebook, I began a year–long ethnographic study in January 2008 of a small group of socially connected 20–something Facebook users. The study took place in Toronto, Canada — then home to the second largest regional Facebook network — and was carried out both on and off the site. One of my goals was to unravel user attitudes towards privacy. I wanted to know how — or even if — people reconciled their use of Facebook with their privacy concerns. Like many ethnographic projects, what I found was unexpected.
All participants expressed concerns about some aspect of their privacy on Facebook. And, I found that some users engaged in subversive practices to mitigate their privacy concerns. Thus, contrary to much of the mainstream rhetoric, my participants did care about privacy. Specifically, my participants were more concerned with what I call their social privacy when using Facebook, rather their institutional privacy. In other words, they were more concerned about controlling access to personal information rather than how the company behind Facebook (which I will call Facebook Inc. for simplicity’s sake) and its partners might use that information. This notion of social privacy is crucial to a nuanced understanding of online privacy issues, especially in the context of youth.
Study participants worried about how to best manage an inappropriate Friend request from, say, a boss or a student they were teaching. Participants worried about people they did not like finding them and contacting them through Facebook. Ben (a marketer for an educational firm) told me, on multiple occasions, how frustrated he was with the “context collision” created by Facebook’s flattened Friend hierarchy, where by default, everyone is given access to the same personal information. As a result a user’s teetotaler boss sees the same things as their best friend, the party animal. This can cause problems when trying to decide what to share about yourself, or trying to manage how people from different life contexts might perceive. What is appropriate for a users’ friends to see may not be appropriate for their employer. For this reason, Lee (a recent university graduate and social justice advocate) and James (a final year engineering student) worried about the lack of control they have over the content on their walls and the photos in which they are identified (or tagged). Even with all the complicated privacy features Facebook had put in place, Lee, James and every other Facebook user could still not pre–screen the comments that Friends wrote on their public walls or stop people from tagging them in photos. The only solution was to turn off your wall entirely, but there was nothing you could do when someone tagged you in an embarrassing or incriminating photo, other than untag yourself, hopefully before anyone else sees it plastered across your wall. After Facebook’s redesign in the summer of 2008, even turning off your wall could not stop Friends from posting comments directly to other parts of your profile, because Facebook Inc. had added a feature that allowed Friends to comment on anything you had posted to your profile (Whitnah, 2008).
James was also frustrated that when he joined new regional networks, Facebook would automatically set all his photos to be shared with everyone in that network, which spoke to his larger concern that Facebook’s design “always assumed you wanted to share more rather than less.”
Aliases and weekly wall cleanings
The importance of social privacy was further demonstrated by the lengths to which some participants would go to maintain their social privacy, and in some cases, violate the privacy of others. The design of Facebook and its Terms of Service (ToS) are designed to encourage certain types of behaviours while discouraging (or even prohibiting others). Users are supposed to be their “true” selves, interact with “real” friends and respect the privacy of others. And, as mentioned, the goal of the site is to increase the transparency and efficiency of communication, two goals which are not exactly in line with the protection of a user’s social privacy. This encourages some users to subvert the site’s design by repurposing or circumventing the site’s features.
One of the main subversive ways that users try to protect their social privacy is the use of an alias. Pablo, an newspaper editor, told me his boyfriend used “Awesome Andrew” as his Facebook name. The name he used as his last name is his real first name, but obviously “Awesome” is not. Other participants will use a real first name, and then the first initial of their last name, or will use an entirely made up last name. The goal of this is to make it difficult for people to find them via search, or to attribute their Facebook activities to their “real” identities. The use of names in this way actually violates Facebook’s ToS, which stipulates that users must use their real names and identities when using the site. Occasionally (although to a lesser extent as of late), Facebook will delete accounts for this reason. Indeed, Facebook Inc.’s CEO, Mark Zuckerberg, casually revealed in a 2005 interview that they had algorithms crawling the site, performing various tasks such as analysing how “real” users were, in order to sniff out fake accounts (Breyer and Zuckerberg, 2005). boyd (2007) observed similar behavior in her larger ethnographic study on teen MySpace users who will use fake names, birthdays or other information in order to protect their privacy on the site. Peterson reports similar findings in research on college–age Facebook users .
Another method used to enhance social privacy is to delete wall posts and photo tags which would otherwise be kept and publicly displayed indefinitely. Pablo told me he took the time to clean his wall once a week because he did not like other people reading them. While this strategy does not violate the ToS, Facebook’s design — which is aimed at making as much communication visible as possible — is not conducive to this sort of activity. Each wall post and tag must be deleted manually, and as mentioned, Facebook does not provide any method to pre–screen tags before they are applied.
Multiple accounts, direct URLs and photo album loopholes
Users will also repurpose Facebook’s design to violate the privacy of others. I spent an afternoon with Lee and a friend of his named Kalvin. Kalvin let us use his Facebook account to view photos of one of Lee’s exes. While Lee was not Friends with his ex, Kalvin was, which meant he could see all her photos. Another afternoon, Lola (a civil servant) sent me direct URL links to photos of a former classmate that she did not like, yet was still Friends with. Even though I was not Friends with this classmate, Lola could easily right click the Facebook photo and get the URL of the image, which was viewable to anyone, even to someone without a Facebook account.
Similarly, participants were aware of (and enjoyed exploiting) a loophole in the way albums are shared on Facebook. If a Friend comments on one of their Friends’ photos, and one of their other Friends sees that comment in their news feed, they can click on the comment and get access to the whole album belonging to their Friend’s Friend, even though he or she did not intend to share them beyond their Friends. Ben admitted to being Friends with people just so he could “creep” their profiles — an activity so common, it even has its own term, which I have heard used frequently in Toronto and other cities.
Lee and Ben’s ex–boyfriend Dan, both admitted to having multiple fake accounts in different regional networks to circumvent Facebook–s geographically based privacy restrictions (which were, as of June 2009, slowly being changed). They would use these accounts to spy on people they knew who had blocked their real accounts, but had left their privacy controls on the default privacy settings — meaning only users in their regional network could see most of their profile information. In sum, these subversive behaviours demonstrate that participants were quite aware that Facebook Inc.’s highly touted privacy controls are easily circumvented, further underscoring participants’ concerns about their social privacy on Facebook.
These stories, combined with the related findings by boyd (2007) and Peterson (2009), suggest that Facebook users do indeed care about privacy. However, their concerns are focused more on social rather than institutional privacy. In other words, with the control of information flow about how and when their personal information is shared with other people — which is a reason some users engage in behaviours that repurpose or circumvent the site’s design.
Not your mother’s privacy
The concept of social privacy is not a new one. Rather, it is often an element of larger, more holistic (and usually more scholarly) definition of privacy, such as DeCew’s notions of expressive and informational privacy. For DeCew, informational privacy is the protection of personal information relating to daily activities, finances, and lifestyle. Expressive privacy is the desire to protect oneself from the influence of peer pressure or ridicule and to be free to express one’s own identity. It is is the ability to control what is said about you . When informational privacy is compromised, so too is expressive privacy. Since Facebook turns all self–expression and communication on the site into information which is stored in a database (that is, it is archived and reproducible) we can say that informational and expressive privacy — or in my terms, social privacy — has been compromised. My participants were concerned with how, when and who could see their personal information: both in terms of information they had provided themselves on their profiles, as well as comments others had left on their walls or through photos they had been tagged in.
Contrast this concept of social privacy with pre–Facebook notions of privacy . In reviewing American privacy surveys from the late 1970s until recently, conducted by Alan Westin and Harris Interactive, one can see that privacy has been largely understood as informational and institutional . In other words, if you were to ask someone about privacy they would frame their response based on how institutions such as governments, banks and other businesses, use or misuse their personal information. Academic work in this area, especially regarding electronic surveillance and Internet privacy, reflects this stance through the conception of privacy threats as originating from institutions, such as governments or large corporations . For example Lyon (2001) discuses how the growing ubiquity of institutional surveillance through closed circuit television; genetic screening; and, credit card monitoring threatens our civil liberties.
The notion of privacy pragmatism helps to explain why people use Facebook despite their concerns about their social privacy. During the 1980s, influential privacy researcher Alan Westin conducted surveys which found that the public’s concerns about privacy threats had increased dramatically, with almost half of the survey respondents reporting that by the end of the decade that they were “very concerned about threats to their personal privacy.”  Westin classified his survey respondents into three categories: privacy fundamentalists; privacy pragmatists and privacy unconcerned . By 2003, the number of privacy pragmatists — that is, people who are concerned about their privacy but are willing to trade some of it for something beneficial — had risen by 10 percent to 64 percent of those surveyed. At the same time, people who were unconcerned about threats to their privacy dropped from 22 percent to 10 percent (Taylor, 2003).
This shift towards “privacy pragmatism” was reflected in my findings with my Toronto participants, as well as Tufecki’s 2008 study of university–age Facebook and MySpace users in the United States . In the same way many people give away some of their personal information in exchange for the perks of an Air Miles card, users of Facebook benefit from their use of the site at the cost of their privacy.
Social costs and benefits
As Facebook’s 350 million (as of December 2009) user base suggests, there is a pay off for use of the site. The mass adoption of Facebook, especially among younger users in North American urban centres, makes it increasingly important for one’s social life to be on the site. Indeed, the Canadian Privacy Commissioner’s 2009 report on Facebook described social network sites as a “cultural phenomenon” whose popularity has “exploded” around the world (Denham, 2009). Even in 2005, Acquisti and Gross’ Facebook study claimed that social network sites had “moved from niche phenomenon to mass adoption” (Gross and Acquisti, 2005).
As Facebook replaces the phone or e–mail as the default mode of interaction, having a Facebook account makes it all the more essential for getting and staying in touch with one’s friends, acquaintances and co–workers. One of the first conversations that James and I ever had about Facebook was about how one of his friends was upset because he had deactivated his account, so when she was organizing events she had to go out of her way to e–mail him an invite. She told him she liked Facebook because she found that people changed their e–mail addresses and mobile numbers frequently enough to make it difficult to keep an address book up to date. However, people tend to keep their Facebook profiles updated with their real contact information and any invites or messages would get relayed from Facebook to their most up to date e–mail inbox.
Just as there are benefits to being on Facebook, there are an also be significant social costs involved in not having an account. As Facebook becomes ubiquitous and the default mode of communication, those who are not on it are left out. As Chris Hughes, one of Facebook’s co–founders, told John Cassidy, a reporter for the New Yorker: “‘If you don’t have a Facebook profile, you don’t have an online identity … . It doesn’t mean that you are antisocial, or you are a bad person, but where are the traces of your existence in this college community? You don’t exist online, at least. That’s why we get so many people to join up. You need to be on it.’”  For Bigge (2006), Hughes’ comments reflect a “narrative of inevitability” that describe “a false choice, a sociotechnical scenario devoid of agency.” The costs of non–participation are so high that it is not a matter of if you will join Facebook, but when. Thus, contrary to much of the rhetoric in the debate around online privacy, the use of Facebook is not necessarily a choice free of coercion, nor are the reasons for sharing information on the site simply about self–obsession or exhibitionism.
The mass adoption of Facebook changes privacy, and thus how users understand and deal with privacy concerns. This is especially true for those who are younger whose notions of privacy are developed in a time and place where social media are ubiquitous. It is not surprising then, that many younger Facebook users mean something different when they speak about privacy and in turn manage that privacy in different or unfamiliar ways.
In conclusion, this study in concert with the findings of boyd (2007) and Peterson (2009) shed some light on why there is such a discrepancy between the behaviour of Facebook users and the way the debate about online privacy is often framed. The full implications for privacy in the age of Facebook and social media are still unknown, especially since the landscape is evolving at a rapid pace. Understanding this distinction in meanings of privacy among different groups, however, is a crucial first step.
About the author
Kate Raynes–Goldie is a PhD candidate in the Internet Studies program at Curtin University of Technology in Australia. Her thesis examines identity, privacy and sociality in the age of Facebook. She maintains a blog at http://k4t3.org.
I would like acknowledge a grant graciously provided by the Center for Information Policy Research at the School of Information Studies, University of Wisconsin–Milwaukee to support the presentation of an earlier version of this paper at the 2009 Association of Internet Researchers Annual Conference. I would also like to thank my supervisors — Helen Merrick, Matthew Allan and Philip Moore at Curtin University of Technology — for their wonderful support and feedback.
All names have been changed to protect the privacy of study participants.
1. Baloun (2007), pp. 111–112; Smith (2008).
2. “Friends” are used as a functional descriptor on Facebook to describe anyone listed as a contact, so I use Friends to distinguish between the Facebook sense and friends in the conventional, pre–Facebook sense.
3. See Samuelson (2006) and Barnes (2006) for examples.
4. Such as Acquisti and Gross (2006) and Tufekci (2008), p. 23.
5. Tufekci (2008), p. 20.
6. Such as Samuelson (2006).
7. See Peterson (2009), which argued that argued that users should subscribe to the old adage “buyer beware” and that “people who don’t want strangers to know the intimate details of their lives should think twice about posting those tidbits online in the first place.”
8. Acquisti and Gross (2006), p. 6.
9. Peterson (2009), p. 19.
10. DeCew (1997), pp. 75–76, 77–78.
11. Philosophically, privacy is a “muddled” and “exasperatingly vague” concept whose definition is a source of debate among privacy scholars (Solove, 2007, p. 8). Yet, like art (another one of those philosophically contentious terms as Danto (1992) would argue), privacy still exists in an everyday world and is understood and used practically by businesses, government, law–makers and, of course, users of Facebook. So, my goal here is not to provide an overview of philosophical debates about the meaning of privacy. Instead, I want to provide a summary of privacy and threats to privacy as defined and understood in mainstream North American society (that is, privacy as defined through practical use).
12. See Kamaraguru and Cranor (2005); Gandy (1993) for excellent in depth discussions and analyses of Westin’s body of research.
13. See Lessig (1999), p. 61, for an example.
14. Gandy (1993), p. 140.
15. Kamaraguru and Cranor (2005), pp. 11–12.
16. Tufekci (2008), pp. 20–21.
17. Cassidy (2006), p. 6.
Alessandro Acquisti and Ralph Gross, 2006. “Imagined communities: Awareness, information sharing, and privacy on the Facebook,” Privacy Enhancing Technologies (PET) Workshop, pp. 36–58; version at http://privacy.cs.cmu.edu/dataprivacy/projects/facebook/facebook2.pdf, accessed 2 January 2010.
Anders Albrechtslund, 2008. “Online social networking as participatory surveillance,” First Monday, volume 13, number 3, at http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2142/1949, accessed 2 January 2010.
Michael Arrington, 2008. “Facebook isn’t a social network. And stop trying to make new friends there” (15 September), at http://www.techcrunch.com/2008/09/15/facebook-isnt-a-social-network-and-dont-try-to-make-new-friends-there/, accessed 5 December 2009.
Karel M. Baloun. 2007. Inside Facebook: Life, work and visions of greatness. Victoria, B.C.: Trafford.
Susan B. Barnes, 2006. “A privacy paradox: Social networking in the United States,” First Monday, volume 11, number 9, at http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/1394/1312, accessed 2 January 2010.
Ryan Bigge, 2006. “The cost of (anti–)social networks: Identity, agency and neo–luddites,” First Monday, volume 11, number 12, at http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/1421/1339, accessed 2 January 2010.
danah boyd, 2007. “MyFriends, MySpace: American youth socialization on social network sites” [video recording], at http://www.youtube.com/watch?v=_mzctKajhI0, accessed 5 December 2009.
danah boyd and Henry Jenkins, 2006. “MySpace and Deleting Online Predators Act (DOPA),” MIT Tech Talk (26 May), at http://www.danah.org/papers/MySpaceDOPA.html, accessed 2 January 2010.
Jim Breyer and Mark Zuckerberg, 2005. “Mark Zuckerberg discusses Facebook” (video recording, 26 October), at http://ecorner.stanford.edu/authorMaterialInfo.html?mid=1567, accessed 2 January 2010.
John Cassidy, 2006. “Me media: How hanging out on the Internet became big business,” New Yorker (15 May), at http://www.newyorker.com/archive/2006/05/15/060515fa_fact_cassidy, accessed 2 January 2010.
Arthur C. Danto. 1992. Beyond the Brillo box: The visual arts in post–historical perspective. New York : Farrar Straus Giroux.
Judith Wagner DeCew. 1997. In pursuit of privacy: Law, ethics, and the rise of technology. Ithaca, N.Y.: Cornell University Press.
Elizabeth Denham, 2009. “Report of Findings Into the Complaint Filed By the Canadian Internet Policy and Public Interest Clinic (CIPPIC) Against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act,” at http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm, accessed 5 December 2009.
Oscar H. Gandy. 1993. The panoptic sort: A political economy of personal information. Boulder, Colo.: Westview.
Ralph Gross and Alessandro Acquisti, 2005. “Information revelation and privacy in online social networks (the Facebook case),” ACM Workshop on Privacy and the Electronic Society (WPES); version at http://www.heinz.cmu.edu/~acquisti/papers/privacy-facebook-gross-acquisti.pdf, accessed 2 January 2010.
Ponnurangam Kamaraguru and Lorrie Faith Cranor, 2005. “Privacy indexes: A survey of Westin’s studies,” Institute for Software Research International, Carnegie Mellon University, Technical Report, CMU–ISRI–5–138.
Lawrence Lessig. 1999. Code and other laws of cyberspace. New York: Basic Books.
David Lyon. 2001. Surveillance society: Monitoring everyday life. Buckingham, Eng.: Open University Press.
Alice E. Marwick, 2008. “To catch a predator? The MySpace moral panic,” First Monday, volume 13, number 6, at http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2152/1966, accessed 2 January 2010.
Chris Peterson, 2009. “Saving face: The privacy architecture of Facebook,“ senior thesis, at http://works.bepress.com/cpeterson/1/, accessed 2 January 2010.
Robert J. Samuelson, 2006. “A Web of exhibitionists,” Washington Post (20 September), at http://www.washingtonpost.com/wp-dyn/content/article/2006/09/19/AR2006091901439.html, accessed 2 January 2010.
Justin Smith, 2008. “Live notes from Mark Zuckerberg’s keynote at F8 Developer Conference,” at http://www.insidefacebook.com/2008/07/23/live-notes-from-mark-zuckerbergs-keynote-at-f8-developer-conference/,accessed 5 September 2008.
Daniel J. Solove, 2007. “‘I’ve got nothing to hide’ and other misunderstandings of privacy,” San Diego Law Review, volume 44, p. 745.
Humphrey Taylor, 2003. “Most people are ‘privacy pragmatists’ who, while concerned about privacy, will sometimes trade it off for other benefits,” at http://www.harrisinteractive.com/harris_poll/index.asp?PID=365, accessed 5 December 2009.
Zeynep Tufekci, 2008. “Can you see me now? Audience and disclosure regulation in online social network sites,” Bulletin of Science, Technology & Society, volume 28, number 1, pp. 20–36.http://dx.doi.org/10.1177/0270467607311484
Tom Whitnah, 2008. “We’re open for commentary,” at http://blog.facebook.com/blog.php?post=20877767130, accessed 5 December 2009.
Paper received 10 December 2009; accepted 31 December 2009.
Copyright © 2010, First Monday.
Copyright © 2010, Kate Raynes–Goldie.
Aliases, creeping, and wall cleaning: Understanding privacy in the age of Facebook
by Kate Raynes–Goldie.
First Monday, Volume 15, Number 1 - 4 January 2010