Professional Documents
Culture Documents
Anja Bechmann
a
_____________________________________
INTRODUCTION
Social networking sites such as Facebook are extremely influential as
social data hubs on the internet. Through a simple authentication
process, they collect extensive personal and sensitive user data across a
wide range of services and users accept this through click-wrap
agreements in privacy policies or in third party app contracts.
When signing contracts offline the setting is often formalized in for
instance one-to-one meetings between the client and the company.
Online such formalization is taking place as a pop-up window that has to
be dealt with before returning to the actual task. However, building on
Copyright 2014 Journal of Media Business Studies. Anja Bechmann, Non-informed Consent
Cultures: Privacy Policies and App Contracts on Facebook, 11(1): 21-38 (2014).
22
existing studies the article will show that the practice of pop-up windows
and click-wrap agreements does not transfer the formality from the
offline practices. On the contrary it is debatable if in fact the consent
given can be regarded as informed at all (Solove, 2013).
The intense public criticism of informed consent as a way to
circumvent the processing and protection of personal data online has
influenced the current proposal of a renewed General Data Protection
Regulation in EU (com(2012)11 final). This proposal has an emphasis on
the elaboration of informed consent. In the proposal from the
Commission, the role of consent as a legal basis for processing personal
data is changed, but does it solve the internet cultural problem?
The aim of this article is to use this increased legal focus on informed
consent as a motivation to compare existing privacy regulation with
practices of informed consent in social media. The article sets out to
examine the culture of informed consent on Facebook and the legal
consequences of this culture. Statistics from countries within and outside
EU show that most users of social networking sites do not read the
privacy policies of the sites or the applications from third party
stakeholders that use their data (see e.g. Danmarks Statistik, 2011;
Nissenbaum, 2010; Solove, 2013). Is the agreement between the social
network site and the user legal then? Is it informed consent? This article
will critically discuss the EU directives definition of informed consent in
comparison with the culture of click-wrap agreements on Facebook using
a qualitative case study of 15 Danish high school students.
THEORETICAL FRAMEWORK
The starting point for informed consent in this article is a critical
political economy inspired lens, focusing on internet policy and
regulation. Political economy scholars are preoccupied by the structural
as well as processual power relations in society (Mansell, 2004:97).
Instead of accepting the status quo, scholars often challenge inequality
and what they perceive to be unjust (Wasko, Murdock & Sousa, 2011:3).
Often, political economy studies are focused on the macro-level (Mansell,
2004). Following the macro-level works of Solove (e.g. 2013) and
Nissenbaum (2010; 2011), the article critically discusses how individual
privacy is downplayed as a result of the click-wrap agreement culture on
the internet.
As noted by Nissenbaum, among many other scholars (e.g. Jorstad,
2001; Barnes, 2006), privacy exists in a paradoxical relationship between
wanting privacy on the one side and the need for convenience, discounts
or services on the other (referred to as the privacy paradox), hence the
reason for always discussing privacy in context (Nissembaum, 2010).
Nissenbaum (2011) and Solove (2013) stress the importance of the
consent dilemma when discussing informed consent.
23
24
groups of friends who share the service or app invite through social
referral potentially influence the decision even though an individual
behind a digital device makes the decision. Forsyth describes groups as
two or more individuals who are connected to one another by social
relationships (Forsyth 2006:3). Consequently, this article does not
theorize about Facebook users only as individual selves, but also on users
connected to one another (on Facebook) through interdependent social
relationships as relational and collective selves (Sedikides, Gaertner &
OMara, 2011; Ess & Bechmann, 2013). To Forsyth, interdependency
means that members can be influenced and influence other members in a
group (Forsyth, 2006: 11).
Decision-making in groups often provides significant drawbacks and
lead to poor or misinformed decisions. Janis (1982) uses the term
groupthink to describe how groups strive for unanimity instead of
considering alternative courses of actions. Group thinking tends to
increase with rapid decision-making and the more cohesive groups the
more likely group thinking is. Additionally, Haslam (2004) shows that
groups tend to be more persuaded by consensus than arguments and
Sanders & Baron (1977) show that group members spontaneously
compare themselves to each other and may move away from differences
and towards the groups view. Furthermore, studies show that groups
also make riskier decisions than individuals (Lamm & Myers, 1978) and
free riding or social loafing tends to take place in decision-making
because group members rely on the other members effort thereby
degrading group performance (Hastie & Kameda, 2005). Studying group
judgment processes Kerr et al. (1996) show that group members tend to
conclude that an outcome is less likely to occur if they cannot imagine it.
Therefore groups may falsely rely on oversimplified information in
decisions.
This article will use these psychological findings to discuss the
results of a qualitative case study of data disclosure decision-making and
informed consent culture and secondly to compare it with the legal
definitions. This will add to existing social and regulative studies by
combining micro-level qualitative studies and macro-level legal analysis
to ground the critical discussion in actual usage patterns and the legal
definition of informed consent.
25
At the time of registration Google+ was not released yet. Release date 28 June 2011.
26
27
active (i.e. the statistics do not account for apps the user had deleted
prior to the study).
When we asked if they had read the extended permissions that they
gave to the app all but one answered no. This despite the fact that
Facebook follow the cookie law tracking practice of showing these
permissions in a pop up window with a clear bullet list and if the
permissions include access to e.g. newsfeed or inbox there will be several
pop-up windows with extended permissions. The student that had read
the permissions only had a few apps because the student deleted them
when they were no longer in use, but why did the student agree to the
terms of use despite resistance?
I am deciding for myself what is most important to me: that I need to
accept this [an app permission] or that I want to use the app. And
then sometimes, if someone, for example on The Guardian, someone
has read an article and then if I want to read the article then I have to
accept them [the app permissions] and then the first five times, and
then I think, well whatever, then I do not want to read it. And then
finally, okay I accept
The high school student is describing a situation of strong
ambivalence towards the need to accept permissions that the student
finds highly inappropriate in order to be a part of the socialization that is
taking place in the group of friends. The study design furthermore
confirms the protective behavior in the fact that the student only has 3
apps.
If we return to the psychological studies this decision-making
behaviour can be explained as follows: Despite the student having
knowledge of the app EULAs that the other members of the group do not
have the student tends to lean towards the decision of the group. Even
though the student has a very cautious approach to app use (deleting
apps) the student is willing to take risks of disclosing data to be part of
the group socialization. However, it is not possible from the data to
conclude that the decision is made due to social loafing (Hastie &
Kameda, 2005), relying on other group members to have read the EULAs
thoroughly and consented on an informed basis before sharing with the
student in question. Rather the study indicates that the risks are
downplayed compared to the social meaning of the acceptance. We will
return to the risk assessment in the next section.
The Danish statistics (Danmarks Statistik, 2011) in the prior section
show that 31% have read privacy policies in the target group, but this
number is much higher than what the case study shows where none have
read them. This despite the fact that the case study is looking at
educated high school students. This may indicate that there can be
biases in question-based and especially survey-based studies where
there can be a need to picture oneself more informed than the case really
is. Despite our ability to investigate if the students have read the privacy
28
policy, the mixed method design of the case study was able to correlate
between app permission answers and number of apps installed at the
time of the study. Even though the case study is not representative, it
points to a very non-informed consent culture, as the students simply do
not read either the privacy policies or the app permissions given to
Facebook Apps.
The one student that actually did read the app permissions
furthermore added to the dilemma; if social media became an informed
consent culture the relationship between Facebook and the user would be
too unequal. In other words, the student needed to accept the conditions
in order to carry out a particular socialization with friends. Like group
decision-making theories suggest (e.g. Forsyth, 2006; Janis & Mann,
1977) the participants and their group of friends minimized the
importance of negative consequences.
Relational Reciprocity or Companies
Moving forward from the finding that they did not read either privacy
policies or app permissions on Facebook, we wanted to show them what
information we could retrieve when we acted as a third party company
(as applications do) in order to register their immediate reactions. We
retrieved their network of friends; newsfeed with the posts from their
friends; walls with for example posts, likes, and photos; all groups
(including secret ones); basic information: name, email and profile
pictures; geographical locations (if they had indicated any in the data
upload); and what kind of app the content was uploaded from. We knew
that they would not read the information if we just sent it out to them, so
we asked them both in speech and writing if they wanted to share this
information beforehand.
Most of the students were surprised how much and how detailed
information we (as an app) could retrieve; however, at the same time
they found it highly non-disturbing if companies retrieved data about
them. Confirming findings from existing studies (e.g. Raynes-Goldie,
2010; boyd & Marwick, 2011), they were mainly concerned with their
circles of friends. They preferred a reciprocal relationship on Facebook
along the line of this citation from one student: I can see all them that
can see me. That is very nice. Their primary concerns were: was the
identity intact to their different circle of friends and did the information
disclosure take place as data revelation to, for example, excluded friends.
These two citations from the students summarize this attitude:
If some company knows that about me, it really does not matter, really
[] but I would not want my friends to know, what I write to her
about [] but if a company knows [] what would they use that for?
Yes, because the things that is private to me, is perhaps, even if the
companies could use it, it does not matter for them to use it
29
It is totally crazy how much they know about you, but on the other
hand, I am a bit ambivalent here, because who is really looking
through your entire profile?
Most of the students consider themselves as numbers to the
companies and not as individuals and this is why in their opinion they
are not concerned with data disclosure towards companies. They had
difficulties imagining potential risks other than economic theft and
photo-manipulation. Kerr et al. (1996) suggest that if the outcome is
difficult to imagine for the group they will conclude that it is less likely to
occur. It is difficult from the findings of this study to conclude if this
rationale is the case, but the study shows that the students had
difficulties in imagining real potential risks. To them data disclosure is a
part of the deal they have made with free social media services including
Facebook. This relationship was so natural for them that they did not
question it even though we ended up suggesting many potential threats.
Only a few thing struck them as potentially problematic when asked
directly by the interviewer: firstly, if they shared account information
written in their inbox; secondly, if companies such as Facebook or third
party companies use personal data (such as photos of the person in
question) falsely to show behavior that they did not do (for example, if
Facebook showed an advertisement to their friends stating that the
student liked a brand that they had never demonstrated a preference
for); and thirdly, they found it inappropriate that Apps were able to
identify friends and retrieve data posted by their friends through the
students app permission agreement.
However, this stands in contrast to the agreement they signed with
Facebook and third party apps, which stipulates that they are allowed to
redistribute data once it is published. Again if we see this as an act of
group decision-making it confirms how the students bolster (Janis &
Mann, 1977) choices by emphasizing positive aspects and downplaying
negative consequences in the quick decision-making process.
Blissfully Unaware?
The privacy paradox has been described by several studies (e.g. Barnes,
2006; boyd & Marwick, 2011; Nissenbaum, 2010, Stutzman, Gross &
Acquisti, 2012) as the fact that users want convenience above privacy,
but do care about privacy if they are asked about it. In other words, I
would identify the relationship as a matter of hands (behavioral
patterns) and head (intellectual reflection). However, returning to the
psychological framework an important understudied question arises: Do
users actually want to know where their data is shared because this
information would potentially affect their group behavior significantly?
The dual relationship between the head and the hand has led some
researchers to suggest transparency; instead of working with a general
understanding and definition of privacy we need to work (legally) with a
case of contextual privacy (Nissenbaum, 2010). Transparency suggests
30
that we always are able to see and know where our information is used
and what it is used for, and contextual privacy ensures that data cannot
be used outside the context in which it was provided. However, both
concepts raise new challenges: in the city of Facebook, we experience an
ever increasing data complexity and infrastructure that means
accounting for transparency would lead to intransparency. As noted in
the theoretical framework this has also been termed the transparency
paradox by Nissenbaum (2011). Furthermore, the complex, ubiquitous
and interwoven data infrastructure means that both from a technical and
especially usage perspective, it is difficult to determine when one context
ends and a new one begins. It is also fairly certain that the technical and
usage perspective on context will not be the same.
Forsyth (2006) among others (e.g. Baker, 2010) use the term social
information bias to describe that group members are inclined to base
their decisions on shared knowledge, not on more precise or better
knowledge that only few members of the group possess. In the case of
social media and Facebook this means that transparency regarding
information flows, according to the theory of shared information bias,
only will be effective if all group members share the information.
Otherwise the group will not even consider adjusting behavior
accordingly.
Building on Pew Research findings, Keller (2013) suggests that
teenagers increasingly adjust self-portraying and data sharing so it only
contains the public picture of them, thereby leaning more towards the
head than the hand and slightly delimiting the privacy paradoxical
relationship.
This is partly true in our case study on Facebook as well, but only
partially. The students consider the timeline as their public identity, but
place private content in inbox, chat, or private/secret groups (see
Bechmann forthcoming, 2014). The students were very good at reflecting
on privacy in the timeline feature, and we only succeeded in finding very
few content items with, for example, words with sexual associations
(mostly Face-rapes as data sharing on another persons behalf through
his/her login). They were very careful not to post anything private on the
timeline. Private meant things they would be embarrassed to share or
disclose now and in the future, as one student said: That, which you
think is private, may be disclosed somewhere sometime anyway. If they
had regrets about content they would simply delete it after considering if
this in fact was harmful. The classical (media) case of harmful scenario
for them was future job recruitment. In this case, most content was
acceptable because it would be a concern to them if the recruiter did not
find anything unusual.
However, the students did not consider privacy issues in other
features of Facebook such as inbox and secret groups. Confirming and
renewing Acquisti & Gross (2006) findings they simply did not know that
apps could retrieve data from these features. This again points to the
31
32
33
34
They cannot turn down privacy policies or app permissions and they
cannot customize the setting in order to take into consideration their own
privacy limits and data disclosure attitudes. In other words, are you left
out of social life if you do not have a profile on Facebook? Legal practices
especially have focused on younger people and children from the age of
13 and up, which includes the target group that is investigated in this
article. Secondly, adding to the fact that the students did not read the
agreements they made with Facebook, often the terms and conditions
change without any real possibilities for the data subject to renew his or
her consent. The conditions are in other words forced on the users of the
social media services. Finally, supporting Soloves (2013) general
discussion on informed consent the findings show that the students are
insecure or directly unaware of the scope and consequences of data
processing. The data infrastructure is too complex and ubiquitous for
them to fully comprehend. Specifically, in terms of the connections
between the data shared in one context and the uses in other potential
contexts. Users without any technical knowledge (even with technical
knowledge) are not able to see through the data processing in social
media.
The existing EU regulation does not take into consideration the
social values and dependency, present in the irrational and potentially
risky data disclosure decision-making process. The students want to be a
part of the social network and the social interaction taking place here
and that is why they have to disclose information as a gift in return for
the Facebook service. Looking at the new proposal for a General Data
Protection Regulation the explicit consent (e.g. discouraging pre-ticked
boxes) and uneven power relationship in informed consent is addressed.
However, it will likely fall in the final version and, building on the
practice from the cookie law directive, the question that remains
unanswered is: how can this be acted out when unread click-wrap
agreements are part of internet culture?
The article has suggested that the decision-making process of either
accepting or declining EULAs and permissions happens as relational and
collective selves following group dynamics that are not reflected in the
legal definition of informed consent neither in existing regulation nor in
proposed changes. However, unwanted social decision-making dynamics
such as groupthink, social loafing, and shared information bias may be
incorporated in the definition and demands for consent in the active use
of for instance social referral. Using the personal network of friends for
privacy information and settings instead of (hiding) and isolating them
would maybe reduce the shared information bias.
CONCLUSION
The qualitative case study has shown that informed consent is not taking
place among the 15 Danish high school students. Neither in a practical
35
sense nor in a legal sense when we consider the actual usage patterns.
Instead the findings indicate a non-informed consent culture. The
possible neglect of explicit consent (including discouraging pre-ticked
boxes) and power imbalance between the user and the service provider in
the regulative change process is a step in the wrong direction compared
to the findings in this article as well as existing social science studies.
The students do not consider Facebook timeline information as
private and they only post things they are not embarrassed about.
However, they have a hard time fully comprehending the actual future
instances of the data use and are unaware of the ability to draw data
from the private features in Facebook such as newsfeed, inbox and secret
groups. The findings correspond with and extend conclusions in existing
studies (e.g. Acquisti & Gross, 2006; boyd & Hargittai, 2010; boyd &
Marwick, 2011). These studies also show a reflective approach to privacy
and that users adjust behavior through customized strategies, albeit
different from the ones that are identified in this article. The findings in
this article highlight privacy and informed consent as both an individual
and social process subject to group dynamics.
Neither the existing or proposed future legislation try to absorb and
take into account these social dynamics in the definition of and
requirements for informed consent. There is a long way from the idea of
informed consent as an isolated agreement that has been accepted once
or is being accepted on a regular basis to the practice of skipping
information in order to get to the service, relying on consensus among
group members, or to simple engage in a gift economy where the
Facebook individual has to deliver data in return for socialization. The
idea of informed consent in the existing and future proposal simply
neglects to offer a solution on this problem.
Compared to informed consent given in offline settings or in for
instance online banking or client-based software installations the social
referral aspect and thereby group decision-making dynamics play a
paramount role in the social media setting. In order for users to receive
requests from apps or an invite to join social media networks they know
that their trusted friends have already accepted the EULAs. Facebook
Connect and other social media authentication solutions are increasingly
being incorporated in other services. This highlights the need for
updating the current legislation by integrating group decision-making
dynamics to a much larger extent.
Returning to the starting point of the article Solove (2013) suggests
that we need to consider the social values instead of merely the
individual choice in the informed consent and privacy self-management
discussion. This article proposes that we not only have to acknowledge
the social values that motivates informed consent, but the social
dynamics that control the decision-making process. In doing so we have
to remember that it is neither an individual nor a collective process, but
both, depending on the context in which consent is given.
36
ACKNOWLEDGEMENTS
REFERENCES
Acquisti, A. & Grossklags, J. 2012. An Online Survey Experiment on Ambiguity and
Privacy, Digiworld Economic Journal, 88(4): 19-39.
Acquisti, A. & Gross, 2006. Imagined communities: Awareness, information sharing, and
privacy on Facebook, Privacy enhancing technologies workshop (PET), accessed 3
November 2013: http://www.heinz.cmu.edu/~acquisti/papers/acquisti-gross-facebookprivacy-PET-final.pdf
Baker, D.F. 2010. Enhancing group decision making: An exercise to reduce shared
information bias. Journal of Management Education, 34:249-279.
Barnes, S. 2006. A privacy paradox: Social networking in the United States, First Monday,
11(9), 4 September.
Bechmann, A. forthcoming (2014). Managing the interoperable self, (eds. Bechmann, A. &
Lomborg, S.) The Ubiquitous Internet, New York: Routledge.
Bechmann, A. 2013. Internet Profiling: The economy of data intraoperability on Facebook
and Google, Mediekultur: Journal of Media and Communication Research, 29(55).
Bodle, R. 2011. Regimes of sharing, Information, Communication & Society, 14(3): 320-337.
boyd, D. & Hargittai, E. 2010. Facebook privacy settings: Who cares?, First Monday, Vol.
15, No. 8.
boyd, d. and Marwick, A. 2011. Social Privacy in Networked Publics: Teens Attitudes,
Practices, and Strategies. In Proceedings of A Decade in Internet Time, 21 - 24
September 2011, University of Oxford.
Danmarks Statistik (2011) Befolkningens brug af internet 2010, Danmarks Statistik,
Copenhagen.
Ess, C. & Bechmann, A. 2013. Mobile media and communication research: At the intersections between methods and ethics, panel at Nordmedia 2013, Oslo University,
August 9.
Forsyth, D.R. 2006. Group Dynamics, Belmont, CA: Wadsworth, Cengage Learning.
37
Haslam, S.A. 2004. Psychology in organizations. The social identity approach, Thousand
Oaks, CA: Sage.
Hastie, R. & Kameda, T. 2005. The robust beauty of majority rules in group decisions,
Psychological Review, 112:494-508.
Janis, I.L. 1982. Groupthink: Psychological studies of policy decisions and fiascos, Boston:
Houghton Mifflin.
Janis, I.L. & Mann L. 1977. Decision making: A psychological analysis of conflict, choice,
and commitment. New York: Free Press.
Jorstad, E. 2001. The Privacy Paradox, Wm. Mitchell Law Review, 27:1503-1526.
Keller, J. 2013. Teenagers care more about online privacy than you think, Salon, May 23,
retrieved July 5, 2013.
Kerr, N.L., MacCoun, R.J., & Kramer, G.P. 1996. Bias in Judgment: Comparing individuals
and groups, Psychological Review, 103:687-719.
Kvale, S. 1996. Interviews: An Introduction to Qualitative Research Interviewing,
Thousand Oaks: Routledge.
Lamm, H. & Myers, D.G. 1978. Group-induced polarization of attitudes and behavior,
Advances in Experimental Social Psychology, 11:145-195.
Mansell, R. 2004. Political Economy, Power and New Media, New Media Society, 6(1); 96105.
Neuhaus, F. & Webmoor, T. 2012. Agile Ethics for Massified Research and Visualization,
Information, Communication & Society. 15(1): 43-65.
Nissenbaum, H. 2010. Privacy in Context: Technology, Policy, and the Integrity of Social
Life. Stanford, CA: Stanford Law Books.
Nissenbaum, H. 2011. A Contextual Approach to Privacy Online, Ddalus, 4:32-48.
Pew Internet Research (2012) Facebook: A Profile of its friends, Pew Internet Research
Tumblr, May 16: http://pewinternet.tumblr.com/post/23177613721/facebook-a-profileof-its-friends-in-light-of
Raynes-Goldie, K. 2010. Aliases, creeping, and wall cleaning: Understanding privacy in the
age of Facebook, First Monday, 15 (1).
Sanders, G.S. & Baron, R.S. 1977. Is social comparison irrelevant for producing choice
shifts? Journal of Experimental Social Psychology, 13:303-314.
Sedikides, C., Gaertner, L. & OMara, E.M. 2011. Individual self, relational self, collective
self: Hierarchical ordering of the tripartite self, Psychological Studies, 56(1): 98-107.
Solove, D.J. 2013. Introduction: Privacy Self-Management and the Consent Dilemma,
Harvard Law Review, 126: 1880-1903.
Stutzman, Gross & Acquisti (2012), Silent Listeners: The evolution of Privacy and
Disclosure on Facebook, Journal of Privacy and Confidentiality, 4(2), p 7-41.
38
Wasko, J., Murdock, G. & Sousa, H. 2011. Introduction: The political economy of
communications: Core concerns and issues, The Handbook of Political Economy and
Communications, West Sussex, Blackwell: 1-10.
Article 29 Working Party: Opinion 15/2011 on the definition of consent (WP 187), adopted
on 13 July 2011
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387e
n.pdf
http://register.consilium.europa.eu/pdf/en/13/st10/st10227-ad01.en13.pdf