Over two billion users consume social media to build and participate in online social networks (OSNs), uploading and sharing hundreds of billions of data items.15 OSNs are not only huge in scale, they are predicted to keep growing in the coming years both in the number of users and in the amount of data users upload and share. The vast amount of data in social media is user-generated and personal most of the time, which clearly calls for appropriate privacy preservation mechanisms that allow users to benefit from social media while adequately protecting their personal information. Protecting users’ privacy is not only essential to respect the Universal Declaration of Human Rights but also to serve as a first line of defense to mitigate cybercrime and other illegal activities that leverage the data obtained due to privacy breaches in social media, such as social phishing, identity theft, cyberstalking, and cyberbullying.
Key Insights
- Multiparty privacy is an important problem in social media that also expands into other areas of social computing like cloud-based file, sharing, collective intelligence, and wiki pages.
- Mainstream social media does not provide sufficiently adequate support for multiparty privacy and, as a result, users are forced to use different strategies that are far from optimal.
- There is an ongoing and growing body of multiparty privacy research, which we summarize and explore the limitations of in this article.
- We outline a research roadmap and a set of requirements for multiparty privacy tools.
There have been many efforts devoted to study privacy in social media and how to protect users’ personal information since the very early days of social media, such as explored by Gross and Acquisti.10 However, most of these efforts have focused on privacy from an individual point of view. For instance, advances include research9 and industry16 efforts on helping individual users better target their audience by modeling different relationships and social circles beyond the binary friendship model that is prevalent in most social media. While this has indeed helped to advance the state of the art on the topic, the problem of content affecting the privacy of more than one user at the same time has received little attention.
Privacy is not just about what you say or disclose about yourself. It is also about what others say or disclose about you. Evidence shows there are privacy boundaries collectively held and managed by individuals within relationships, families, groups, and organizations.22 With the massive growth of social media, however, collectively held privacy boundaries have become extremely challenging to maintain, as many of the hundreds of billions of items uploaded are co-owned by multiple users,14,15 yet mainstream social media only allow the user uploading a co-owned data item to set its privacy settings, which often leads to conflicts and severe privacy violations.33,35 Multiparty privacy (MP) aims to facilitate the coordination of collectively held privacy boundaries by all individuals that co-own a data item online, as the privacy of all of them may be at stake depending on with whom the co-owned data item is shared.a MP particularly focuses on supporting the detection and resolution of multiparty privacy conflicts (MPCs), when individuals whose privacy may be affected by the same co-owned data item have conflicting privacy preferences. Take a simplified but illustrative example of MPC: Alice takes a photo of her and Bob. Mainstream social media would only allow Alice (assuming she uploads the photo) to set the privacy settings for the photo, but what if Bob would not like to share it with some of the friends Alice would like to share the photo with? MP is concerned with not only photos but also other social media content such as posts, videos, comments, or events. Beyond social media, MP could also be useful in other social computing domains, in which information is co-created and co-owned by multiple users, so all these users should have a say on with whom this information is shared, such as collaborative software (for example, cloud-based collaborative documents), internal/external wiki pages, blogs, collective intelligence, crowdsourcing, among others.
Designing MP tools is a complex and difficult task, as users have different privacy attitudes and preferences; they socialize online with multiple types of relationships; and they share varying amounts of different types of content. In this article, we discuss the limited MP support users current have, the coping strategies users are forced to resort to in the absence of adequate MP support, and the latest developments in MP mechanisms and tools. Based on this, we outline a roadmap for future research with a set of requirements for developing MP tools.
Social Media Support for MP
Mainstream social media sites support some sort for MP, which mainly comes in the form of two mechanisms: tagging/untagging and reporting inappropriate content.
Tags are normally used to name people that appear in a photo with a link to their profile. People tagged in a photo can, however, untag themselves from the photo. There are some social media sites (like Facebook) in which you can opt-in to receive notifications about the photos you have been tagged in to approve tags before they become effective. Tagging/untagging represents some sort of MP, but it has three main limitations. The first limitation is that even if you untag yourself from a photo before anyone seeing it, this does not mean that your friends will not end up seeing the photo anyway. For instance, Alice and Bob are in a photo that Alice uploads to Facebook tagging Bob in it. Bob receives a notification, he revises the photo and decides not to approve the tag because he feels, for example, embarrassed about the photo. The point is that the photo, even without Bob being explicitly tagged, will be shared according to what Alice decides. That is, if Alice decides to share with her friends, and Alice and Bob share some friends, all these friends will be able to see the photo in Alice’s wall anyway. The second limitation is that tagging/untagging is supported for photos but not for other items such as posts, comments, and events. Posts and comments do usually have the option to include mentions (using special symbols such as ‘@’), but these mentions are only controllable by the post/comment creator—though users can remove comments to their posts/photos. Finally, many users state that they feel very uncomfortable untagging themselves from photos because it may offend (from a social angle) the person who tagged them in the photo.2
Regarding reporting, most social media sites allow users to report when content published by others is not appropriate. This mechanism is mainly used to deal with highly inappropriate (or even illegal) content such as nudity, hate speech, violence, and other very serious offenses. After being reported, the provider decides unilaterally what to do with the content (delete it or not). Although this mechanism is of utmost importance to fight against these very serious offenses, it is not appropriate for all MP scenarios, as there are many cases in which privacy violations can happen without necessarily being related to these offenses. For instance, it may just be the case that you are not comfortable sharing some information with some other people, or you want to conceal information from your work colleagues. Also, it is important to highlight that reporting is only a reactive mechanism, which only activates after content has already been published and someone flags it as inappropriate. However, when the content is flagged, it may well be too late, the privacy violation may have already happened and the derived consequences may be unrecoverable, or other users may have been able to download the content and distribute it using other channels.
The problem of MP is starting to be recognized by mainstream social media as demonstrated by a recent revamp of Facebook’s privacy controls.b In particular, Facebook’s Privacy Basics now explains the newly introduced option to contact users about photos you do not like. The mechanism works as follows: if a user is tagged in a photo and she does not like the photo, she can now flag the photo as not liking it, which then opens up a message window containing a form with the recipient field set to the one who uploaded the photo, so that the user who does not like the photo can ask the user who uploaded it to remove it and include an optional reason for the removal. Although this is a step forward that very much recognizes the issue of MP, it still falls short because of multiple reasons, some of them also shared with tagging/untagging and reporting inappropriate content: a) the process happens once the photo has already been published, so any potential privacy breaches may have already occurred; b) it takes time to take down a photo that has already been published—for example, Lian et al.19 calculated the time it takes for a photo URL to become unavailable after having deleted the photo from the social media site, which turned out to be three days on Instagram, seven days on Facebook, 14 days on Flickr and over 30 days in MySpace and Tumblr; c) it does not enable collective negotiation, as the photo may involve other people and not only the one who uploaded it and the one who complains about it; d) everything needs to be done manually, which introduces an unbearable burden on the users considering the large amount of friends users have online; and e) this mechanism has only been implemented for photos but not for other types of content such as posts, comments, and events.
User Coping Strategies for MP
As noted previously, there is a distinct lack of built-in capabilities in current social media infrastructures to help users compromise by actively negotiating with others.40 Users are forced to communicate outside social media and apply a number of coping strategies to try to overcome or work around that lack of technical support. Basically, most of these coping strategies consist of actions or behaviors in the offline world that aim to prevent MPCs from happening online. Research uncovered several examples of these coping strategies, which very much stress the need for MP tools. We discuss some examples of coping strategies and their shortcomings next (summarized in Table 1).
Table 1. Examples of coping strategies.
One of the offline strategies people employ before posting an item to avoid MPCs is trying to anticipate whether the item could be sensitive to anyone potentially affected by it.18 For instance, if Alice and Bob appear together in a photo but Bob appears clearly inebriated, then it is likely that Alice may consider this by either not posting the photo or sharing it only with a restricted number of friends. However, this does not always work, as sometimes the person posting an item cannot anticipate the consequences this may have for others beforehand. An example is given in Lampinen et al.18 where a person was congratulated by a friend about being accepted for a master’s program via a comment, but the person had to quickly remove the comment as he had not yet told his employer about it and his employer was also friend of his online. Note even if the person removed the comment quickly, there was still the risk his employer may have already noticed the comment before it was removed.
Users sometimes ask the other co-owners of an item for approval before sharing it.18 The problem with this strategy is that it is done offline without any technical means that could facilitate this. That is, one would need to ask permission offline to all people that may be affected by each and every item they upload. Also, when someone did not approve, they would need to negotiate a solution (for example, reduce the initial audience or decide not to upload). This would quickly become an unbearable burden on users.
It has also been observed that teens cloak their messages and share photos with inside jokes.3 For instance, Boyd and Marwick3 report an example of a girl writing a post on Facebook about something she knew only her close friends would understand, as she wanted to prevent other friends from knowing what she actually meant. The downside of this strategy is that it clearly does not scale and may not be feasible for all photos or other types of items that people would like to share. For example, a photo about your travel to Mauritius cannot be easily cloaked in case you want to share it with some people but not with others.
As social media proves inadequate to manage disclosures in MP scenarios, some users switch media to share content using other technologies such as cloud-based file sharing, instant messaging, or email attachments.2 This has the advantage of protecting not only their own content but also limiting the privacy risks for others. There are, however, three main disadvantages as well. Firstly, this may be possible for photos, videos, and so on, but not for other types of content such as events or comments. Secondly, users cannot control which technologies their friends use; that is, their friends could still upload photos using social media without users being able to do anything about it. Thirdly, these technologies might also lead to MPCs. For instance, one user may share a video in a Whatsapp group in which there are people with whom other users in the video would not like to share it.
Users also confirmed that, in the absence of better ways to manage MP situations, they actually change and tightly control their offline behavior. For example, people behave in a different way when they see a camera around.2,18 If you know a friend likes to take photos and posts them very often, you may decide not to hang out with her to avoid any undesired photos being posted. This highlights the extent to which people feel unable to participate in MP decisions. The effectiveness of this strategy is again very limited, mainly due to the pervasiveness of smartphones and wearable devices, being always alert and constantly modifying your offline behavior is infeasible.
One of the most interesting strategies perhaps is that users collectively negotiate and achieve offline agreements and compromises about what gets posted and to whom it gets shared.2,18,40 For instance, a group of friends could agree the photos they take in a trip can only be shared among them or with close friends of them. Interestingly, it turns out users are always very open to consider and accommodate others’ preferences as much as possible.18,40 In addition, research uncovered that users do not want to cause any deliberate harm to their friends and will normally listen to reasonable objections, which also acts as a way of reaffirming and reciprocating relationships.40 The main problem with this strategy, as with many of the other strategies seen so far, is that it does not scale. It is impossible for users to be constantly negotiating with hundreds of friends about hundreds of photos without technical aid.
Research on MP Tools
It seems clear considering all the cases noted here that users actively seek to work around the problem of not having adequate technical support for MP. However, the effectiveness of the coping strategies they use for this seems rather limited according to the drawbacks these strategies have. This has inspired researchers to design interfaces and computational methods that empower users to collectively manage MP in more effective and efficient ways than the current coping strategies they are forced to resort to today. Although research in this area is still in its infancy, there have been a number of proposals that we categorize below into five main approaches (summarized in Table 2), highlighting their strengths and limitations. Note that other works in addition to those discussed have also been published but we could not include all of them due to the space and maximum references allowed, and have instead included those we considered the most representative of each approach.
Table 2. Summary of MP approaches with example references.
Manual approaches. The first research stream proposed support for MP by helping users to identify where MPCs can or did occur.2,39 For instance, Wishart et al.39 present a way to specify strong and weak sharing preferences so that these preferences could be inspected to find conflicts. Also, Besmer et al.2 introduce a system whereby users tagged in a photo can contact the user who uploaded the photo to ask to remove it or to restrict the audience of the photo, which resembles the functionality Facebook introduced some time later.7 While these approaches represented a stepping-stone, recognized the problem of MP, and proposed a partial solution to it, they left all the negotiation process to resolve detected conflicts to happen without any particular technical aid. That is, users must resolve every potential MPC in a manual way, which may become an unbearable burden considering the massive amount of content uploaded and the number of friends that users have in social media.
Auction-based approaches. Another research stream proposed solving potential MPCs using a bidding mechanism.30 Users bid for the sharing decision they would prefer the most and the winning bid determines the sharing decision that will be taken for a particular item. These approaches were the first ones to consider a semiautomated method to aid users in collectively defining a sharing decision—for example, the outcome of the auction is computed automatically from the bids users specify. However, users may have difficulties comprehending the mechanism and specifying appropriate bid values in auctions, and users are required to bid for each and every item co-owned with others.
Aggregation-based approaches. These approaches suggest a solution to a MPC by aggregating the individual privacy preferences of all users involved. They can be abstractly conceptualized as voting mechanisms, where the preferences of each user affected by an item count as one vote (sometimes weighted) for sharing/not sharing. Then, a voting rule models how each of these mechanisms aggregates votes together. For instance, in majority voting,5 the preference of the majority of users is taken as the decision to be applied to the content. Another example would be veto voting,35 so that if there is one of the users affected by the content who opposes sharing, then the content is not shared. The main problem with these approaches is that they always aggregate preferences in the very same way. For instance, using majority voting always means that even when content can be very sensitive and lead to privacy violations for one user, it will be shared if the majority of users wishes to. In contrast, always using veto voting may be too restrictive and impact the known benefits users get from sharing in social media.29 Subsequent works12 recognize this issue and consider more than one way of aggregating user preferences. However, it is up to the one who uploads the item to decide the aggregation method to apply. This requires the user who uploads the item to anticipate the consequences for others, which may be a very difficult task as discussed earlier, and it may not always render the optimal solution.
Adaptive approaches. These approaches automatically infer the best way to solve a MPC based on the particular situation.32 These approaches model a situation considering factors such as the individual preferences of each user, the sensitivity of the content, or the relationships to the potential audience. Then, a particular situation instantiates particular concessions that are known to happen when people negotiate offline an agreement about sharing co-owned items.2,18,40 Thus, these approaches automatically adapt to the situation at hand, turning as restrictive as veto voting if the situation requires so (for example, if the item is very sensitive), or suggesting sharing in other situations (for example, someone having special interest in sharing and the others not caring much about it). While these approaches capture the known situations of when concessions happen during offline negotiations, it is difficult to model all possible situations, and they may not capture opportunistic concessions or agreements that may arise in potentially unknown situations.
Game-theoretic approaches. Another approach has been to define negotiation protocols, which are a means of standardizing the communication between participants in the process of negotiating a solution to a MPC by defining how the participants can interact with each other. These protocols are then enacted by users manually15 or automatically by software agents17,31 to negotiate an agreed sharing decision for a particular item. Participants can follow different strategies when enacting the negotiation protocols, and these strategies are analyzed using well-known game-theoretic solution concepts such as the Nash equilibrium. This allows, for instance, to determine analytically which are the best strategies that participants can play as well as to find strategies that are stable (strategies in which no participant has anything to gain by changing only her own strategy unilaterally). While these proposals provided elegant frameworks from a formal point of view and build upon well-studied analytic tools, they may not work well when used in practice.13 This is because users’ behavior does not seem perfectly rational in practice (as assumed in these approaches), and even if some are starting to consider other factors like reciprocity17 and social pressure,25 they are still far from considering the many very social idiosyncrasies that play a role in MP.18,40
Fine-grained approaches. The last research stream focuses on preventing MPCs by allowing each user in a photo to independently decide whether some personally identifying objects within the photo are shown or blurred.14,36 In particular, one of the first works in this approach allowed users to individually decide whether their face is shown or blurred.14 The process works as follows: the users in a photo are identified using face recognition algorithms such as Facebook’s DeepFace algorithm;34 the users recognized are notified and they can suggest the list of friends who can have access to the photo; and when a user wants to access a photo, she will only see the faces of the users that have granted access to her and the other faces in the photo will appear blurred. However, blurring faces (or other objects in a photo) may impact the utility of the photo being shared, negatively impacting the benefits people get by sharing in social media,29 and there is also the risk that a person can be reidentified even if her face (or other objects in a photo) has been blurred.23 Hence, when a collaboratively agreed solution to a MPC is possible, that solution might be more desirable than enforcing access separately, as the photo will not lose any utility (no object blurred), but the audience of the photo will be negotiated to remove access to any undesired people.
Requirements For MP Tools
Building upon the previous analysis on existing approaches and their limitations, we now outline a set of requirements to develop MP tools that empower users to collectively manage their privacy together with others and overcome these limitations. These tools would aid end users to identify potential MPCs and, when MPCs are identified, provide support for their resolution (for example, in the form of recommendations), allowing an appropriate “boundary regulation process by actively negotiating one’s boundaries with others.”40 Next, we describe each of the requirements in detail.
Design informed by real-world empirical data. None of the existing approaches are grounded in a deep understanding of MPCs and their optimal solution in practice. This is in part due to not having enough empirical evidence about MPCs yet. Such an empirical base is utterly essential to inform the design of MP tools that overcome the limitations identified in the existing literature. As mentioned, researchers have shed light on how users are forced online to resort to coping strategies to work around the lack of appropriate support for MP,2,3,18,40 and there is evidence of how collectively held privacy boundaries are managed offline.22 While this previous research already provides a very good foundation to build upon, further research is needed to better understand when and how often MPCs actually happen online and, more importantly, when they become a problem or lead to potential privacy violations and hence need a solution. Particular instances of MPCs users faced could be studied to understand whether they happened despite coping strategies being used, how users came up or would come up with the optimal solution for the MPCs studied, and the factors that played a role in the process. Some very recent research goes in this direction,33 having contributed the first empirical and public data-set of MPCs. Having this empirical base about MPCs would ultimately underpin a thorough understanding of MPCs and the nuanced factors that affect them from the ground up, which could then be used as the basis to design MP tools that offer support to different types of users, social groups, and relationships and can recommend optimal solutions to MPCs. Recent efforts on privacy engineering should be leveraged to easy the challenging task of going from empirical evidence to privacy design.11
User-centric MP controls. The main challenge here is how to develop usable MP tools in line with the empirical base mentioned earlier, so users could effectively manage MP with minimal effort. However, MP tools should aim for usability without becoming a fully automated solution, as this may not achieve satisfactory results when it comes to privacy in social media. Instead, users may have to provide some input into MP tools, which will then provide a recommendation, as very recent research has shown that the optimal solution for an MP conflict could be predicted given some input from the users, like the reason for their preferred privacy policy.8 However, if users have to intervene to express their individual privacy preferences and/or to accept/decline the solution recommended for each and every co-owned item and potential conflict, would this not easily become a burden on the users? How do we find adequate trade-offs between intervention and automation? There are previous studies on individual privacy in social media that could help: Tools like AudienceView20 could be used to show and/or modify the suggested solution or express individual preferences; approaches similar to Fang et al.7 could be used to learn the way users respond to MP over time; and, approaches like Watson et al.38 could be used to create suitable defaults for MP settings.
Scaled-up and comparable evaluations. The existing approaches for MP presented here were either not evaluated empirically with users,5,17,25,30,31,39 or the user studies conducted were low-scale with at most 50 participants.2,12,13,14,32,36 This is in part due to a distinct lack of systematic and repeatable methods and/or protocols to evaluate MP tools and compare them to each other. In order for evaluations to be more conclusive and generalizable, MP tools should be evaluated considering wider and more varied populations. Also, evaluation protocols should be developed with a view to maximize ecological validity, which is particularly challenging in this domain. Firstly, participants in user studies would always seem reluctant to share sensitive information with researchers37 (for example, photos they feel embarrassed about and prefer not sharing online), which would bias any evaluations toward non-sensitive issues only, leaving out the scenarios where the adequate performance of MP tools would be critical. An alternative could be evaluations with fake data/scenarios where participants self-report how they would behave, but the results may not match participants’ actual behavior in practice due to the well-known dichotomy between privacy attitudes and behavior.1 Secondly, conducting MP evaluations in the wild is very difficult, as it would require all the users affected by a particular piece of content to be studied together to understand the conflicts and whether the solutions to the conflicts are optimal. A possible way forward could be methodologies based on living labs, which would integrate and validate research in evolving real-life contexts.
Privacy-enhanced party recognition. Given a particular item uploaded, MP tools should derive the users who are affected by the item. For instance, if a user uploads a photo and tags in it all the other users that appear in the photo, MP tools can directly use this to know which users are involved. However, users many times either do not tag all people clearly identifiable in a photo or incorrectly tag people who actually do not appear in the photo. Face recognition software could be used for this, such as the one developed by Facebook researchers called DeepFace,34 which has 97.35% accuracy. The question that arises is whether using face recognition software could be too privacy invasive for individuals, that is, the social media provider would be able to identify individuals in any photo even for photos outside the social media infrastructure, or individuals could be misidentified and wrongly associated with items that are not relevant to them (note even if accuracy of face recognition is high and false positives are low, the number of items and users is huge). Interestingly, this seems to open a completely new and exciting type of privacy-related trade-off compared to the well-known privacy-utility trade-off, which would be multiparty vs. individual privacy. Note, however, that a multiparty-individual privacy trade-off will not be needed if privacy-preserving face-recognition methods27 are used by MP tools, so that parties would be recognized while preserving their privacy. Beyond photos, party recognition may be easier for some content type such as events (people invited or attending are explicitly mentioned) or even more challenging for some other content such as text posts, in which affected users may not always be explicitly tagged.
MP tools should aim for usability without becoming a fully automated solution, as this may not achieve satisfactory results when it comes to privacy in social media.
Support for inferential privacy. Another issue not considered before in a MP context is that of inferential privacy. That is, it may not only be about what your friends say about you online, but also what it may be inferred from what they said regardless of the type of content. For instance, Sarigol et al.27 have demonstrated the feasibility of constructing shadow profiles of sexual orientation for users and non-users, using data from more than three million accounts of a single OSN. Note that negotiations or agreements for the case of inferential privacy may be more complex, as the reasons not to publish content may not be about the content itself but more about the consequences in terms of the information that may be inferred from it, so solutions to this type of MPC might be more difficult to comprehend by users, which would also challenge the usability and understandability of MP tools. Also, we are unaware of any social media site that provides users with any sort of controls for inferential privacy; let alone any research conducted that considers both MP and inferential privacy together.
Privacy-preservation guarantees. Last but not least, MP tools should provide some sort of individual privacy guarantees. This is particularly important when a multiparty agreement is not possible. For instance, a user may be posting on purpose content that defames another user. In these cases, there may be room for enforcing individual privacy preferences to some extent. For instance, a possible solution for photos is the work by Ilia et al.,14 which would allow users to control whether their face is shown or blurred in a particular photo. This seems an appropriate solution when a MP conflict arises and no agreement is found by the users affected, so instead of the winner taking it all, the outcome is that all users affected are guaranteed their individual privacy to some extent. This, however, does not completely remove the identification risks, as acknowledged by Ilia14 because there is still the chance the user may be recognized even after her face has been blurred,26 and approaches that are able to remove the full body of a person and reconstruct the image are still not there, though there are approaches that already recognize user’s body/gesture.28
Conclusion
Multiparty privacy (MP) is an important problem in social media that also expands into other areas of social computing where there is co-owned information such as blogs, collective intelligence, wiki pages, cloud-based file sharing,24 and collaborative documents, which have received even less attention when compared to social media for this matter. As highlighted in this article, mainstream social media does not provide adequate support for MP and, as a result, users are forced to use different coping strategies that are far from optimal. Thus, there is a need for the development of novel privacy-enhancing techniques and mechanisms to help users to manage MP. We still have a long way to go to make such mechanisms a reality and embed them in highly usable tools ready to be utilized by end users, partly due to the complex nature of MP and social behaviors, which requires an interdisciplinary approach to MP. In this article, we have introduced the area of MP tools, discussed its current state and advances, and defined a set of requirements to shape the agenda for future research in this area.
Acknowledgments
Thanks to the EPSRC for supporting this research under grant EP/M027805/1, as well as to William Aiello and the anonymous reviewers for their very useful and helpful comments on a previous version of this manuscript.
Figure. Watch the authors discuss their work in this exclusive Communications video. https://cacm.acm.org/videos/multiparty-privacy-in-social-media
Join the Discussion (0)
Become a Member or Sign In to Post a Comment