Facebook and Privacy
Journal of Computer-Mediated Communication Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences Bernhard Debatin, Jennette P. Lovejoy E. W. Scripps School of Journalism, Ohio University Ann-Kathrin Horn, M. A. Institut fur Kommunikationswissenschaft, Leipzig University (Germany) ? Brittany N. Hughes Honors Tutorial College/E.
or any similar topic only for you
W. Scripps School of Journalism, Ohio University This article investigates Facebook users’ awareness of privacy issues and perceived bene? ts and risks of utilizing Facebook.
Research found that Facebook is deeply integrated in users’ daily lives through speci? c routines and rituals. Users claimed to understand privacy issues, yet reported uploading large amounts of personal information. Risks to privacy invasion were ascribed more to others than to the self. However, users reporting privacy invasion were more likely to change privacy settings than those merely hearing about others’ privacy invasions. Results suggest that this lax attitude may be based on a combination of high grati? cation, usage patterns, and a psychological mechanism similar to third-person effect.
Safer use of social network services would thus require changes in user attitude. doi:10. 1111/j. 1083-6101. 2009. 01494. x Introduction Student life without Facebook is almost unthinkable. Since its inception in 2004, this popular social network service has quickly become both a basic tool for and a mirror of social interaction, personal identity, and network building among students. Social network sites deeply penetrate their users’ everyday life and, as pervasive technology, tend to become invisible once they are widely adopted, ubiquitous, and taken for granted (Luedtke, 2003, para 1).
Pervasive technology often leads to unintended consequences, such as threats to privacy and changes in the relationship between public and private sphere. These issues have been studied with respect to a variety of Internet contexts and applications (Berkman & Shumway, 2003; Cocking & Matthews, 2000; Hamelink, 2000; Hinman, 2005; Iachello & Hong, 2007; McKenna & Bargh, 2000; Pankoke-Babatz & Jeffrey, 2002; Spinello, 2005; Tavani & Grodzinsky, 2002; Weinberger, 2005). Speci? c privacy concerns of online social networking Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association 3 include inadvertent disclosure of personal information, damaged reputation due to rumors and gossip, unwanted contact and harassment or stalking, surveillance-like structures due to backtracking functions, use of personal data by third-parties, and hacking and identity theft (boyd & Ellison, 2008). Coupled with a rise in privacy concerns is the call to increase our understanding of the attitudes and behaviors toward ‘‘privacy-affecting systems’’ (Iachello & Hong, 2007, p. 100).
This paper investigates privacy violations on Facebook and how users understand the potential threat to their privacy. In particular, it explores Facebook users’ awareness of privacy issues, their coping strategies, their experiences, and their meaning-making processes. To this end, we will ? rst take a look at research on Facebook’s privacy ? aws and at existing studies of user behavior and privacy; thereafter, we will lay out our conceptual background and hypotheses, and present ? ndings from our both quantitative and qualitative empirical research.
Finally, we will draw some conclusions from our research. Literature Review Privacy and Facebook: The Visible and the Invisible The privacy concerns delineated above are con? rmed by several reports and studies on Facebook. In a report on 23 Internet service companies, the watchdog organization Privacy International charged Facebook with severe privacy ? aws and put it in the second lowest category for ‘‘substantial and comprehensive privacy threats’’ (‘‘A Race to the Bottom,’’ 2007). Only Google scored worse; Facebook tied with six other companies.
This rating was based on concerns about data matching, data mining, transfers to other companies, and in particular Facebook’s curious policy that it ‘‘may also collect information about [its users] other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service’’ (‘‘Facebook Principles,’’ 2007, Information We Collect section, para. 8). Already in 2005, Jones and Soltren identi? ed serious ? aws in Facebook’s set-up that would facilitate privacy breaches and data mining.
At the time, nearly 2 years after Facebook’s inception, users’ passwords were still being sent without encryption, and thus could be easily intercepted by a third party (Jones & Soltren, 2005). This has since been corrected. A simple algorithm could also be used to download all public pro? les at a school, since Facebook used predictable URLs for pro? le pages (Jones & Soltren, 2005). The authors also noted that Facebook gathered information about its users from other sources unless the user speci? cally opted out.
As of September 2007, the opt-out choice was no longer available but the data collection policy was still in force (‘‘Facebook Principles,’’ 2007). Even the most lauded privacy feature of Facebook, the ability to restrict one’s pro? le to be viewed by friends only, failed for the ? rst 3 years of its existence: Information posted on restricted pro? les showed up in searches unless a user chose to opt-out his or her pro? le from searches (Jones & Soltren, 2005). This glitch was ? xed in late June 2007, but only after a technology blogger made the loophole 84
Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association public and contacted Facebook (Singel, 2007). Recent attempts to make the pro? le restrictions more user-friendly and comprehensive seem mostly PR-driven and still include serious ? aws (Soghoian, 2008a). In September 2006, Facebook introduced the ‘‘News Feed,’’ which tracks and displays the online activities of a user’s friends, such as uploading pictures, befriending new people, writing on someone’s wall, etc.
An online presentation ‘‘Does what happens in the Facebook stay in the Facebook? ’’ (2007) points out a number of connections between various Facebook investors and In-Q-Tel, the not-for-pro? t venture capital ? rm funded by the CIA to invest in technology companies for the CIA’s information technology needs. The chief privacy of? cer of Facebook, Chris Kelly, accused the video of ‘‘strange interpretations of our policy’’ and ‘‘illogical connections’’ but did not substantially rebut the allegations (Kelly, 2007). Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association 5 Further criticism is based on the fact that third parties can use Facebook for data mining, phishing, and other malicious purposes. Creating digital dossiers of college students containing detailed personal information would be a relatively simple task—and a clever data thief could even deduce social security numbers (which are often based on 5-digit ZIP codes, gender, and date of birth) from the information posted on almost half the users’ pro? les (Gross & Acquisti, 2005). Social networks are also ideal for mining information about relationships or common interests in groups, which can be exploited for phishing.
For example, Jagatic, Johnson, Jakobsson, and Menczer (2005) launched a phishing experiment at Indiana University on selected college students, using social network sites to get information about students’ friends. The experiment had an alarmingly high 72 percent success rate within the social network as opposed to 16 percent within the control group. The authors add that other phishing experiments by different researchers showed similar results, ‘‘We must conclude that the social context of the attack leads people to overlook important clues, lowering their guard and making themselves signi? antly more vulnerable’’ (Jagatic et al. , 2005, p. 5). A high level of vulnerability is also engendered by the fact that many users post their address and class schedule, thus making it easy for potential stalkers to track them down (Acquisti & Gross 2006; Jones & Soltren 2005). Manipulating user pictures, setting up fake user pro? les, and publicizing embarrassing private information to harass individuals are other frequently reported forms of malicious mischief on Facebook (Kessler, 2007; Maher, 2007; ‘‘Privacy Pilfered,’’ 2007; Stehr, 2006).
Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association information and their stated privacy concerns (Dwyer, Hiltz, & Passerini, 2007; Livingstone, 2008; Tufekci, 2008). However, a recent study showed that actual risk perception signi? cantly correlates with fear of online victimization (Higgins, Ricketts, & Vegh, 2008). Consequently, the authors recommend better privacy protection, higher transparency of who is visiting one’s page, and more education about the risks of posting personal information to reduce risky behavior.
Tufekci (2008) also asserted that students may try ‘‘to restrict the visibility of their pro? le to desired audiences but are less aware of, concerned about, or willing to act on possible ‘temporal’ boundary intrusions posed by future audiences because of persistence of data’’ (p. 33). The most obvious and readily available mechanism to control the visibility of pro? le information is restricting it to friends. However, Ellison, Stein? eld, & Lampe (2007) discovered that only 13 percent of the Facebook pro? es at Michigan State University were restricted to ‘‘friends only. ’’ Also, the category ‘‘friend’’ is very broad and ambiguous in the online world; it may include anyone from an intimate friend to a casual acquaintance or a complete stranger of whom only their online identity is known. Though Jones and Soltren (2005) found that two-thirds of the surveyed users never befriend strangers, their ? nding also implies that one-third is willing to accept unknown people as friends. This is con? med by the experiment of Missouri University student Charlie Rosenbury, who wrote a computer program that enabled him to invite 250,000 people to be his friend, and 30 percent added him as their friend (Jump, 2005). Similarly, the IT security ? rm Sophos set up a fake pro? le to determine how easy it would be to data-mine Facebook for the purpose of identity theft. They found that out of 200 contacted people, 41 percent revealed personal information by either responding to the contact (and thus making their pro? le temporarily accessible) or immediately befriending the fake persona.
The divulged information was enough ‘‘to create phishing e-mails or malware speci? cally targeted at individual users or businesses, to guess users’ passwords, impersonate them, or even stalk them’’ (‘‘Sophos Facebook ID,’’ 2007) These ? ndings show that Facebook and other social network sites pose severe risks to their users’ privacy. At the same time, they are extremely popular and seem to provide a high level of grati? cation to their users. Indeed, several studies found that users continually negotiate and manage the tension between perceived privacy risks and expected bene? s (Ibrahim, 2008; Tufekci, 2008; Tyma, 2007). The most important bene? t of online networks is probably, as Ellison, Stein? eld, & Lampe (2007) showed, the social capital resulting from creating and maintaining interpersonal relationships and friendship. Since the creation and preservation of this social capital is systematically built upon the voluntary disclosure of private information to a virtually unlimited audience, Ibrahim (2008) characterized online networks as ‘‘complicit risk communities where personal information becomes social capital which is traded and exchanged’’ (p. 51). Consequently, social network site users are found to expose higher risk-taking attitudes than individuals who are not members of an online network (Fogel & Nehmad, 2008). Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association 87 It can therefore be assumed that the expected grati? cation motivates the users to provide and frequently update very speci? c personal data that most of them would immediately refuse to reveal in other contexts, such as a telephone survey.
Thus, social network sites provide an ideal, data-rich environment for microtargeted marketing and advertising, particularly when user pro? les are combined with functions that track user behavior, such as Beacon. This commercial potential may explain why Facebook’s valuation has reached astronomical levels, albeit on the basis of speculation. Since Microsoft’s fall 2007 expression of interest in buying a 1. 6 percent stake for $240 million, estimates of the company’s value have ranged as high as $15 billion (Arrington, 2008; Sridharan, 2008; Stone, 2007).
For the average user, however, Facebook-based invasion of privacy and aggregation of data, as well as its potential commercial exploitation by third parties, tend to remain invisible. In this respect, the Beacon scandal was an accident, because it made the users aware of Facebook’s vast data-gathering and behavior surveillance system. Facebook’s owners quickly learned their lesson: The visible part of Facebook, innocent-looking user pro? les and social interactions, must be neatly separated from the invisible parts.
As in the case of an iceberg, the visible part makes up only a small amount of the whole (see ? gure 1). The invisible part, on the other hand, is constantly fed by the data that trickle down from the interactions and self-descriptions of the users in the visible part. To maintain the separation (and the user’s motivation to provide and constantly update his or her personal data), any marketing and advertising based on these data must be unobtrusive and subcutaneous, not in the user’s face like the original version of Beacon. Figure 1 The Facebook Iceberg Model (Iceberg image © Ralph A.
Clevenger/CORBIS) 88 Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association Theoretical Approach The conceptual framework of our research is a combination of three media theories: the ‘‘uses and grati? cations’’ theory, the ‘‘third-person effect’’ approach, and the theory of ‘‘ritualized media use. ’’ While this study does not test these three media theories, they are relevant as an analytical background and a framework from which to explain and contextualize our ? ndings. The uses and grati? cations approach looks at how people use media to ful? l their various needs, among them the three dimensions of (1) the need for diversion and entertainment, (2) the need for (para-social) relationships, and (3) the need for identity construction (Blumler & Katz, 1974; LaRose, Mastro, & Eastin 2001; Rosengren, Palmgreen, & Wenner, 1985). We assume that Facebook offers a strong promise of grati? cation in all three dimensions—strong enough to possibly override privacy concerns. The third-person effect theory states that people expect mass media to have a greater effect on others than on themselves.
This discrepancy between self-perception and assumptions about others is known as the perceptual hypothesis within the thirdperson effect approach (Brosius & Engel, 1996; Davison, 1983; Salwen & Dupagne, 2000). Though this approach has far-reaching implications with respect to people’s support for censorship (known as the behavioral hypothesis), our interest is mostly focused on the perceptual side: How do Facebook users perceive effects on privacy caused by their use of Facebook and which consequences do they draw from this? Together with the uses and grati? ation theory, the third-person effect would explain a certain economy of effect perception, (i. e. , negative side effects are ascribed to others, while the positive effects are ascribed to oneself). The theory of ritualized media use states that media are not just consumed for informational or entertainment purposes, they are also habitually used as part of people’s everyday life routines, as diversions and pastimes. Media rituals are often connected to temporary structures, such as favorite TV shows at a particular time, and to speci? social rituals, such as ritualized meetings of friends to watch a favorite TV show, etc. (Couldry, 2002; Liebes & Curran, 1998; Pross, 1992; Rubin, 1984). It can be expected that the use of Facebook is at least to some degree ritualized and (subcutaneously) built into its users’ daily life—a routinization (Verallt? glichung) in a the sense of Max Weber (1972/1921). In conjunction with the two other approaches, this theory would further explain the enormous success of Facebook and users’ lack of attention to privacy issues.
Based on the literature and theories examined above, the following four hypotheses for the survey and four open-ended research questions to guide the interviews were proposed: H1: Many if not most Facebook users have a limited understanding of privacy issues in social network services and therefore will make little use of their privacy settings. H2a: For most Facebook users, the perceived bene? ts of online social networking will outweigh the observed risks of disclosing personal data.
Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association 89 H2b: At the same time, users will tend to be unaware of the importance of Facebook in their life due to its ritualized use. H3: Facebook users are more likely to perceive risks to others’ privacy rather than to their own privacy. H4: If Facebook users report an invasion of personal privacy they are more likely to change their privacy settings than if they report an invasion of privacy happening to others.
Research questions: RQ1: How important is Facebook to its users and which role does it play in their social life? RQ2: To what extent is Facebook part of everyday rituals or has created its own rituals? RQ3: Which role does Facebook play in creating and promoting gossip and rumors? RQ4: Which negative effects, particularly with respect to privacy intrusions, does Facebook have? Method An online survey, conducted in spring 2007, was administered to 119 college undergraduates at a large university in the Midwestern United States.
A convenience sample was justi? ed because this is a novel research ? eld for which data are dif? cult to obtain and because online surveys rely on self-selection mechanisms and make randomized sampling dif? cult (Riffe, Lacy, & Fico, 1998). Additionally, eight participants (two male, six female) from the online survey respondent pool were selected for open-ended in-depth face-to-face interviews, which were conducted June 2007. Survey Measures The online questionnaire consisted of 36 multiple-choice questions.
Survey respondents indicated basic information regarding Facebook habits, including the amount of time with an account (6 months, 1 year, 2 years, 3 years, greater than 3 years), how often the account was checked (less than a few times per month, a few times per month, a few times per week, daily, more than 3 times per day, more than 5 times per day), and the average amount of time spent on Facebook each use (up to 5 minutes, 15 minutes, 30 minutes, 1 hour, or more than an hour). Furthermore, respondents speci? ed what types of personal information they revealed in their pro? e, such as basic descriptors (e. g. , gender, relationship status, if interested in men/women, birthday, hometown, political views, religious views), contact information (e. g. , e-mail, phone number, address, number or dorm room or house, Web site), personal interests (e. g. , favorite TV shows, movies, books, quotes, music), education information (e. g. , ? eld of study, degree, high school), work information (e. g. , employer, position), and break information (e. g. , activity, place). They also indicated what name they signed up under (i. . , if they used their real name, ? rst name only, nickname, or made-up 90 Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association name) as well as if they had uploaded a pro? le picture of themselves or additional pictures of friends, pets, etc. In order to understand users’ practices with regard to privacy, they were asked 1) if they were familiar with Facebook privacy settings (yes/no), 2) if they protected their pro? le (yes/no), and 3) how they protected their pro? e (survey options mirrored actual Facebook options: ‘‘I’m not sure,’’ ‘‘All of my networks and all of my friends can see it,’’ ‘‘some of my networks and some of my friends can see it,’’ ‘‘only my friends can see it,’’ and ‘‘I have different settings for different parts of my pro? le. ’’). Respondents further indicated when they adjusted their privacy settings (‘‘Right at the beginning,’’ ‘‘After I ? gured out how to adjust the privacy settings,’’ and ‘‘After having a pro? le for awhile’’) and, if so, why (‘‘I am generally a cautious person,’’ ‘‘I heard some concerning stories,’’ and ‘‘Don’t remember. ’) In all of these questions, respondents could only select one answer. In order to assess the role of friends in Facebook use, respondents indicated how many friends they had and what kind of ‘‘friends’’ they accept (‘‘Only people I know personally,’’ ‘‘People I have heard of through others,’’ or ‘‘Anybody who requests to be my friend’’). In order to assess some of the perceived bene? ts of Facebook, respondents were asked three separate questions, ‘‘Do you feel that Facebook helps you interact with friends and people? ’ (yes/no) ‘‘Do you think that you would have less contact with your friends if you didn’t have your Facebook account? ’’ (yes/no), and ‘‘What role does Facebook play in your everyday life? ’’ (very important/not important). Furthermore, to assess the perceived bene? ts of using Facebook, for each of these last three questions respondents’ answers were given a score of 1 for a ‘‘yes’’ answer and 0 for a ‘‘no’’ answer. These three questions were then summed and averaged in order to create a perceived ‘‘bene? ts’’ score.
In order to examine the potential risks of Facebook, respondents answered whether they had encountered any or all of these three problems on Facebook: 1) unwanted advances, stalking, or harassment, 2) damaging gossip or rumors, or 3) personal data stolen/abused by others. Respondents could check yes or no to these three questions. Respondents’ answers were given a ‘‘1’’ for a ‘‘yes’’ answer and a ‘‘0’’ for a ‘‘no’’ answer. Although the question did not differentiate between actual and perceived negative incidents, it is reasonable to assume that the subjective nature of these categories allows treating them as perceived risks.
Additionally, respondents indicated how they reacted to those negative incidents (‘‘I didn’t change anything,’’ ‘‘I restricted my pro? le and privacy settings,’’ or ‘‘I cancelled my Facebook account’’). Respondents further indicated whether each of these three negative incidents may have happened to other people (again, with yes/no options) and, if so, how respondents presumably reacted: ‘‘Did hearing about such incidences make you change your account settings? ’’ (same answer options for when a negative incident had happened to the self—see above).
Respondents were further asked, ‘‘If you were to hear about such incidents, would you change your account settings? ’’ (same answer options for when a negative incident actually had happened—see above). Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association 91 In order to examine the difference between perceived negative incidents to oneself and those perceived about others, ‘‘self ’’ scores were aggregated and averaged and ‘‘other’’ scores were aggregated and averaged; thus, a third-person differential score was created by subtracting the ‘‘self ’’ score from the ‘‘other. ’ In other words, this differential score re? ected the difference between the negative effects respondents perceived about others and the perceived negative effects to themselves. To reiterate, the range for the perceived ‘‘bene? ts’’ score, the perceived negative incidents to oneself, and the perceived negative incidents to others were all 1 to 0 because each response that made up the score was assigned a ‘‘1’’ for a ‘‘yes’’ response and a ‘‘0’’ for a ‘‘no’’ response. Thus, the summed and averaged score remained on that scale. Lastly, the demographic variables gender, age, and nationality were recorded.
In-depth Interviews Eight participants (two male, six female) from the online survey respondent pool were selected for open-ended narrative face-to-face interviews, which were conducted in June 2007. At the end of the online survey, participants were asked if they would like to participate in a face-to-face interview about their Facebook use and experience. Interviewees were selected systematically by looking at their survey answers and comments (such as personal experience with privacy invasion), and pragmatically by their availability.
In qualitative research, criteria for selecting subjects are often derived from the research questions, such as the expectation of topically relevant and rich narratives; hence, a randomized, statistically representative sample for the interviews is neither desirable nor necessary (Wrigley, 2002). The names of the interviewees are anonymous to protect their privacy. The participants received a written explanation of the research objectives and ethics before signing a consent form.
Interviews followed the general interview guide approach and lasted between 45 and 90 minutes. The interviews were recorded, transcribed, and then analyzed through a combination of qualitative content analysis, typological reduction analysis, and hermeneutical/rhetorical interpretation (Fisher, 1987; Kvale, 1996; Mayring, 1990; Weber, 1990). This type of qualitative analysis is particularly fruitful when dealing with a novel ? eld that is not yet structured and requires preliminary understanding (Patton, 1990).
It is mostly based on the summarizing reduction of the material and the inductive development of analytical categories from it and, in a second step, the deductive application of categories to interpret the data. Our main categories used to identify and interpret relevant statements were (1) invasion of privacy, (2) breach of trust, (3) violation of boundaries, (4) gossip and rumors, (5) habitual or ritualized use of Facebook. Additionally, statements containing the following speci? c ? gures of speech were identi? ed for interpretation: (A) Salience—interesting or unusual expressions that indicate signi? ance and/or emotional involvement; (B) metaphors, analogies, and similes—particularly with respect to how interviewees conceptualize facebook and their use of it; (C) ellipses and allusions—particularly implicit or indirect reference to connotations and background knowledge; (D) moral judgments 92 Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association and value statements. Statements were checked for semantic intensity, frequency, and valence to reconstruct the interviewees’ understanding of their experiences and their emotional involvement.
The qualitative analysis supplements the survey ? ndings with additional evidence by providing access to Facebook users’ meaning-making processes. They give deeper insight into attitudes and behaviors with respect to Facebook use and privacy issues, narratives related to the relevance, attraction, and usage of Facebook, and experiences about invasion of privacy on Facebook. Findings Quantitative Surveys The survey respondents (n = 119) were predominantly female (68%), U. S. American (95%), and the largest age group ranged from 22–24 years old (27%).
Half of the respondents had their Facebook account for 2 years and 37% checked this account daily, with 25% checking it three times/day and 23% checking it ? ve times/day. On average, half of the respondents were spending up to 15 minutes each time they use Facebook, while 20% spent up to 30 minutes and 20% spent up to 5 minutes. Over a quarter (29%) reported that their Facebook account is always open or active when they are online. Almost 18% reported personally experiencing negative effects of Facebook, such as unwanted advances, stalking, and harassment, damaging gossip or rumor, or data theft.
Forty-seven percent said they restricted access to their pro? le because they are generally cautious, and 38% because they had heard ‘‘some concerning stories. ’’ Most respondents (83%) reported that Facebook helps them interact with friends and other people. Hypothesis tests H1 predicted that Facebook users have a limited understanding of privacy settings in social network services and, therefore, will likely make little use of their privacy settings. This hypothesis was partially supported. Contrary to H1, a chi-square analysis revealed that there was a signi? ant association between being ‘‘familiar’’ with Facebook privacy settings and utilizing privacy settings—in fact, the vast majority of Facebook users (91%) claimed indeed to be familiar with Facebook privacy issues and were also likely to restrict their pro? les (77%) through privacy settings, ? 2 (1) = 16. 3, p < . 001. However, the same chi-square analysis revealed that those who were not familiar with privacy settings (9%) were also more likely to not protect their pro? les. In other words, while the majority of users report to be familiar with privacy settings and protect their pro? es, the minority—unfamiliar users—are also not protecting their pro? les. Furthermore, only 69% of the respondents indicated that they had actually changed the default privacy settings and about half reported that they restricted their pro? le so that ‘‘only friends can see it. ’’ Importantly, the de? nition of ‘‘friends’’ may Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association 93 be different in this case, as the relative majority of users (38%), have over 300 friends, followed by 24% with 200–300 friends and 18% with 100–200 friends.
Additionally, 10% reported that they accept ‘‘anybody’’ as a friend, 37% accept people ‘‘heard of through others,’’ and 52% only accept people they personally know. Furthermore, over 90% of the respondents signed up under their full real name and included their gender, date of birth, and hometown. This same percentage of respondents also uploaded a picture of themselves as well as additional pictures of friends, family, pets, etc. Four-? fths of the participants speci? ed interests, favorite TV shows, music, and movies, ? eld of study, schools attended, and e-mail address on their online pro? le. About one-third provided speci? contact information, such as phone number, address, and number of their house/dorm and room. The above descriptives tell a different side to H1, showing that although the vast majority of users claim to be familiar with Facebook’s privacy settings and report protecting their pro? le, they are allowing large groups of ‘‘friends’’ access to detailed, personal information. Therefore, H1, is partially supported because while the majority of respondents claim to understand Facebook’s privacy settings and restrict their pro? les, the minority who report being unfamiliar with the privacy settings are not restricting their pro? e. Additionally, the descriptives of respondents’ actions speak differently: Extensive personal information is being uploaded and protected with suboptimal access restrictions, in effect making it accessible to large groups of people that the respondent may not personally know—which further illuminates the fact that participants may indeed have a limited understanding of privacy issues in social network services. H2a, which predicted that perceived bene? ts of Facebook would appear to outweigh the observed risks of disclosing personal data, was supported.
A pairedsamples t-test was used to assess the difference between the perceived bene? ts and risks of using Facebook. Recall that respondents answered three yes/no questions that composed the perceived bene? ts score and three yes/no questions that composed the risks score. Results demonstrated that respondents did indeed see the bene? ts (mean = . 75) outweighing the risks (mean = . 28), t(118) = 13. 10, p < . 001. H2b, which predicted that users tended to be unaware of the importance of Facebook in their life due to its routinized use, was not supported.
A chi-square test of association showed that there was a signi? cant relationship between frequency of Facebook use and perceived importance, ? 2 (1) = 9. 07, p < . 01. Speci? cally, more respondents than expected reported using Facebook at least ‘‘daily’’ and also reported that it was ‘‘very important’’ or ‘‘important’’ in everyday life. Similarly, more respondents than expected reported using Facebook fewer than once a day reported that it was not important in their everyday life. Signi? cantly, those making Facebook part of an everyday habit seemed to recognize its importance—a shift contrary to H2b.
H3, which predicted that Facebook users are more likely to perceive risks to others’ privacy rather than to their own privacy, was supported. A paired-samples t-test was utilized to examine the difference between perceived risks to the self and 94 Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association perceived risks to others. Recall that risks to the self were summed (i. e. , respondents’ answers received a ‘‘1’’ if they indicated a risk and a ‘‘0’’ if they reported no risk) and averaged, as well as risks to others were summed and averaged.
There was a signi? cant difference between the perceived risks to the self (mean = . 07) and risks about others (mean = . 38), t(118) = ? 10. 60, p < . 001. Simply, respondents perceived more risks to others than to themselves. This ? nding further illustrates a possible third-person effect taking place. H4, which predicted that Facebook users were more likely to change privacy settings if they reported a personal invasion of privacy than if they reported an invasion of privacy to others, was supported. A chi-square test of association showed that there was a signi? ant relationship between the likelihood of changing Facebook privacy settings and the type of reported invasion (happened personally or happened to someone else), ? 2 (1) = 6. 23, p < . 05. For this analysis, only individuals who reported personally experiencing invasion of privacy (n = 23) or hearing about it through others (n = 41) were included. Speci? cally, 80% (n = 17) of those who personally experienced invasion of privacy made setting changes, while only 42% (n = 17) of those who heard about others experiencing invasion of privacy reported making changes.
Thus, more than expected were making changes after personal experience and fewer than expected were making changes after hearing of ‘‘others’’ experience. Qualitative Interviews The qualitative analysis yielded four main topical areas that will be presented in the following sections: (A) routinization—the function of Facebook in users’ daily life, (B) ritualization—the communicative and media rituals typical for Facebook usage, (C) the rumor mill—the function of Facebook as an accelerator and intensi? er of gossip and rumor, and (D) privacy invasion—actual negative effects of Facebook on users.
Routinization—Just to keep in touch? The main reason students say they use Facebook is to stay in contact with friends. Anne claims that it is ‘‘just to keep in touch, just to see what people are up to. ’’ For Emily, Facebook is important because of its convenience. Through Facebook, she can ? nd phone numbers and e-mail addresses or send messages. Answers like this con? rm that students use Facebook to easily access contact information, to communicate, and to ? nd out what’s going on in each others’ lives. But it is more than that.
Shannon described it as ‘‘kind of like you’re hanging out with all your friends, but you don’t have to be in the same room. ’’ It is like socializing without being social. Interviewees usually spend up to an hour a day on Facebook, and the prevailing pattern seems to be that they check their account multiple times a day for a few minutes at a time, as opposed to one or two longer sessions. Most interviewees admit to Facebook being important in their lives because it helps them staying in Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association 5 touch with ‘‘friends back home. ’’ Jessica initially claimed that Facebook was not too important in her daily life, but later she acknowledged that she habitually looked at other peoples’ pictures on Facebook and that the pictures are essential conversation subjects. Similarly, Meghan ? rst maintained that Facebook was not important in her life but then she also admitted that it had become an integral part of her life. Given the fact that she has over 500 Facebook friends, one can reasonably assume that this may be an attempt to downplay and rationalize the signi? ance Facebook has for her. All in all, the statements from the interviews showed that Facebook had become an important part of student life, deeply ingrained in their daily routines, as is typical for pervasive technology. The grati? cations drawn from using Facebook were mostly about the convenience and ease of being socially connected to a large number of people. Ritualization—Rites with a safety net Closely related to the routinization of Facebook is its ritualistic function. Students reported joining Facebook in a ritualized way, as a rite of passage.
As long as Facebook limited its membership to college students, they signed up around the time they started college, upon hearing about it from peers and under pressure from them. Brian had the most interesting Facebook joining story: ‘‘Everyone else had one and I was like one of the ? ve people left on campus who didn’t have one,’’ he joked. While he described himself as initially ‘‘very anti-Facebook,’’ he ended up joining because his girlfriend forced him by setting up a pro? le for him. He then changed the password and has been using Facebook ever since.
User behavior on Facebook is in itself highly ritualized. The most striking example is Jessica’s story about her habit to look at their friends’ pictures: Yeah, like, I mean, cause on Friday and Saturday people go out, well, Thursday I guess, like Thursday, Friday and Saturday people will go out. Sunday people will upload pictures. So Sunday, Monday people will up pro? les and that’s when you look at everyone’s pictures. At least that’s what most people, most of my friends on Facebook do.
Jessica was, in fact, taking part in a well established weekly ritual of rehashing the weekend’s social events with her friends—not too dissimilar to other media rituals such as group watching and rehashing of favorite TV shows. Interestingly, she was also well aware of the fact that she was not reciprocating the ritual because she did not upload her own pictures, although she liked to take a lot of them. The peer pressure did not seem to be strong enough to make her share her own pictures, yet she wanted to participate in the ritual of looking at the lives of others, which seemed to con? m to the above mentioned sentiment of socializing without being social, an intimate yet distanced voyeuristic position without actual involvement. Facebook also seemed to have its own unwritten rules governing the ritual of accepting friend requests. Emily explained that on MySpace people are friends with strangers, ‘‘but on Facebook, it’s only people that you know that you’re friends with . . . I think that’s an unwritten rule for Facebook and an unwritten rule for 96 Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association MySpace. ’ The predictable environment of people she knew made Emily ‘‘feel safer’’ and she was therefore much more inclined to use Facebook than MySpace. Yet Facebook friends are not necessarily real friends. Rather, it seemed that the status of a Facebook friend could be used to maintain a ritualized distance from people, while at the same time af? rming some sort of social relationship to them. This delicate balance was well described by Anne, who stated that there was a decisive distinction between real friends she hung out with and mere Facebook friends, with whom she had limited contact.
As much as it has its own (above described) rite of initiation, Facebook also seemed to support the rite of separation young college students go through when they move away from their home town. As Ellison, Stein? eld, & Lampe (2007) have shown, this can be regarded as a form of ‘‘maintained social capital’’ that helps in keeping potentially useful contacts alive and in dealing with the distress caused by the loss of old friends. In our interview, Anne remarked ‘‘nobody is going home anymore. ’’ She had 700 Facebook friends, and she added that Facebook friends are those with whom ‘‘we’re slowly becoming not friends. ’ These three instances of ritualized Facebook use are very instructive. Not only did they con? rm how much Facebook has grown into the daily life of college students, they also revealed important social and emotional functions of Facebook in their lives. Facebook provides ritualized ways of joining and opportunities for ritualized consumption of its content, but it also rede? nes the notion of friendship and provides a peculiar safety net for falling out of touch with friends. The rumor mill—Feeding gossip and rumors
All interviewees agreed that Facebook fueled gossip and rumors, but they seemed to see this as mere side-effects of their Facebook usage and not as a main component. Students tended to see Facebook primarily as a tool to enhance social connectedness—only when speci? cally asked about the subject did they all acknowledge having ? rst-hand experience with gossip and rumors generated through Facebook, particularly through the news feed. The participants expressed mixed feelings about this feature. Most of them disliked it and the overall consensus was that it increased gossip and rumor.
Anne said she ‘‘hated’’ the news feed from its debut, but despite her dislike she still looked at the news feed out of curiosity. Brian, who has experienced the most extreme form of privacy invasion through Facebook (see below), expressed strong dislike for the news feed, since it helped fuel the rumor mill when he was dealing with a hacker. He made it clear that rumors (as opposed to mere gossip) cross the line of what is tolerable. Both Anne and Brian agreed that relationship status is an important part of Facebook gossip. Any change in the relationship status will get the rumor started, Brian said.
This indicates that inhibitions to gossip and rumor are lowered due to the news feed feature—a mechanical gossip machine—but it also highlights the interconnectedness of the Facebook world and the real world. Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association 97 Emily downplayed the importance of Facebook gossip by saying that although Facebook might increase the speed rumors ? y, gossip will exist regardless. She liked the news feed and thought that relationship stories were the only ‘‘interesting’’ news feed postings.
Yet, she and her boyfriend did not immediately post their relationship on Facebook because she saw the relationship status as an important tool to create and maintain a positive image. She thought it should only be used if one is in a serious relationship. Though she believed herself to be unaffected by Facebook gossip, it turned out that she was actually heavily engaged in image management, which is just the ? ip side of the gossip mill. Meghan explained that some rumors about people’s relationships would not exist, or at least not spread as fast, without Facebook.
Similarly, some of the gossip Jessica engaged in would not exist without Facebook. She and a friend from home ‘‘keep in touch kind of like through an enemy’’ by discussing another girl’s pictures and making comments about her weight. Without Facebook, ‘‘it [the other girl’s weight] wouldn’t be a topic at all,’’ she admitted. Students agreed that pictures were important gossip starters. Pictures will get taken out of context, as both Meghan and Jessica noted, and become the center of gossip and rumors. Participants are well aware of the risks that pictures of inappropriate, frowned upon, or illegal behavior pose.
Some pictures should just ‘‘not be public knowledge,’’ Shannon said. Everybody knew someone who got in trouble for underage drinking pictures, and there was widespread interest in damage control. Several students also mentioned that future employers may look at their pro? les and that they did not want to possibly ruin their career. Overall, gossip and rumors played a central role on Facebook. Not only are they fueled by the way the news feed system works, but in some ways they also provide the social glue that keeps the community alive and interesting.
Facebook’s creators may have been aware of the social desire for gossip and its function in a social network when they introduced the news feed. Indeed, gossip and rumor-mongering make up a key element of why students use Facebook—even if they don’t want to admit it or seem not quite aware of it. Privacy invasion—Crossing the line Interviewees presented a wide range of experiences with privacy invasion on Facebook with a varying degree of actual changes in their behavior. Brian encountered the most extreme form of Facebook privacy invasion by having his pro? e hacked into multiple times, which twice led him to delete his pro? le, and (after the second occurrence) to institute strict privacy settings. The ? rst time, the hacker changed some of Brian’s groups and altered his ‘‘interested in’’ to insinuate (incorrectly) that Brian was gay. He brushed the incident off as a joke, changed his password, and ‘‘went on with everyday life. ’’ At that time, he was not aware of privacy options. Then, the hacker again entered his pro? le, changed his password back, and altered some things. Brian changed them back again and wrote on his status, ‘‘ok, you know, enough is enough . . the joke’s over, this isn’t funny anymore. ’’ On the third day, his pro? le was 98 Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association completely changed, including groups and interests, and his pro? le picture showed a combination of his head and a porn star’s body. The hacker had also put in a relationship request with Brian’s freshman-year roommate and changed his status to ‘‘I was just kidding. I’m having a hard time coming out of the closet right now. ’’ To Brian’s dismay, all these changes were made public through the news feed.
This incident prompted Brian to delete his pro? le and stay away from Facebook for 3 months. But because he felt that Facebook is ‘‘a really easy way to keep in contact with people,’’ Brian rejoined Facebook with a new e-mail address, assuming the hackers had ? nished their game. Yet six months later, his pro? le was attacked again, this time with a shot at his girlfriend. The hackers used the same manipulated pro? le picture, but added the character Donkey from the movie Shrek and tagged Donkey as Brian’s girlfriend. Brian deleted the pro? le again, and set up another pro? e with a nonschool e-mail and strict privacy settings. The whole incident left him guessing who did it and why. He also said that he was very upset about the incident, particularly because his girlfriend became the target too. It is remarkable that Brian stayed with Facebook and kept coming back to it again and again. This case illustrates that the bene? ts and grati? cations from using Facebook as a social tool can override the effects of even extremely negative experiences. Peter also had an invasion of privacy experience with Facebook that prompted him to delete his pro? le.
He got into an argument with another man in a Facebook group after criticizing the group’s disapproval of men wearing a certain item of clothing. After the two of them argued back and forth through e-mail and Wall postings, the opponent posted the entire conversation on his group pro? le so it was public and Peter was unable to delete or change it. To have the comments removed, Peter had had to delete his account and set up a new one. He then restricted his new pro? le so that only his friends could see it, and reduced his friends from 500 friends to about 26 people he actually knew.
His reasoning was that he wanted to be able to express himself without getting judged by people who did not know him. Two additional interviewees experienced unwanted contact through Facebook. Anne removed her screen name from her Facebook pro? le after she received ‘‘random’’ instant messages from people who got her information through Facebook. She also removed her cell phone number after getting Facebook messages referencing her cell phone number. Anne has restricted her pro? le to be viewed by her friends only, but with her 700 Facebook friends, this restriction seems rather meaningless.
Shannon recounted being tracked down by a man that she had borrowed a scarf from at a party. About a month or two later, he e-mailed her and called her home phone number, asking for the return of his scarf. He told her that he had found her through Facebook and then got her home phone number from the university directory. This seemingly benign incident made her uncomfortable and she subsequently tightened her security settings. These stories show that privacy invasion is part of the Facebook reality and not just a hypothetical possibility.
The intrusions into the users’ personal lives create feelings of anger, lack of control, and fear. At the same time, users seem to adopt Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association 99 two complementary types of coping strategies. The technical strategy is to tighten the privacy settings; the psychological strategy is to integrate and transform the incidents into a meaningful and ultimately unthreatening context. Knowing or at least believing to know who the perpetrator is creates a feeling of control and reassurance.
The perpetrators are branded immature individuals or creeps, and the incidents tend to be minimized as pranks, exceptions, or events from a different world: ‘‘In the end,’’ said Brian, re? ecting on the hacking incident, ‘‘it’s just Facebook. . . There was a time before Facebook. You can do without it. It’s ok. ’’ Discussion This study examined the relationship of Facebook privacy issues, privacy settings, perceived bene? ts and risks, routinization and ritualization, and invasion of privacy to the self and others among a college population. Survey ? dings indicated that while the majority of Facebook users report having an understanding of privacy settings and make use of their privacy settings, it is also apparent, however, that they may have a skewed sense of what that exactly entails. Additionally, as hypothesized, perceived bene? ts of online social networking outweighed risks of disclosing personal information. Risks to privacy were ascribed more to others than to the self. If Facebook users reported an invasion of personal privacy, users are more likely to change privacy settings than if they reported hearing of an invasion of privacy happening to others.
In general, the ? ndings from the qualitative interviews corroborate the survey ? ndings. Most strikingly, the interviews exempli? ed how deeply Facebook is integrated into daily routines and rituals, and how much it has produced its own routines and rites. The habitual use of Facebook and its integration into daily life indicates that it has become an indispensable tool of social capital and connectedness with large numbers of people. The bene? ts of Facebook outweigh privacy concerns, even when concrete privacy invasion was experienced. All in all, the ? dings of our study con? rm the results of previous studies on social networking, particularly with respect to routinization, privacy awareness, privacy settings, and trust (boyd & Ellison, 2008; Ellison, Stein? eld, & Lampe, 2007; Jones & Soltren, 2005; Tufekci, 2008). Previous studies on social networking have also found a discrepancy between users reporting understanding and caution in regards to privacy and actually implementing the necessary steps to safeguard detailed personal data (Dwyer, Hiltz, & Passerini, 2007; Livingstone, 2008; Tufekci, 2008).
While the Facebook users in our study report familiarity and use of privacy settings, they are still accepting people as ‘‘friends’’ that they have only heard of through others or do not know at all and, therefore, most have very large groups of ‘‘friends’’ that have access to widely uploaded information such as full names, birthdates, hometowns, and many pictures. Additionally, many users are not changing default privacy settings, making them rely on lax, initial startup settings. Thus, conceptually, individuals may understand 100
Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association the dangers of posting personal content on Facebook, but the desire to include personal information (this is after all what social networking sites do—allow others to get to know the individual behind the name) and the facade of only allowing ‘‘friends’’ access, eases users into believing that they have done an adequate job in protection. Therefore, it seems likely that the risks pale in comparison to the perceived bene? ts, even though many users report having observed the risks of using a Facebook account.
Perhaps the evolving obsession with developing a persona and maintaining communication through technology (Twitter, texting, instant messaging, posting to social networking account, Second Life, etc. ) is so embedded in the typical college students’ ecology that to not engage in this form of communication would be social death. Contrary to the survey ? ndings, interviewees tended to underestimate Facebook’s actual importance to them. This can be seen as an expression of the level of Facebook’s integration into students’ lives: A truly pervasive technology with a high level of grati? ation, Facebook has become an almost invisible part of students’ everyday life. Part of this grati? cation is also the ability to participate in intimate yet distanced voyeuristic practices and to watch the gossip and rumor mill through the news feed and friends’ pictures. The aggregated visibility of user activity through the news feed turned out to be a driving force in the production and proliferation of gossip and rumors. Facebook allows users to maintain super? cial social relationships with large numbers of people.
In network theory, this phenomenon is discussed as ‘‘weak ties in the ? ow of information’’ (Gross & Acquisti, 2005, p. 2f), but this does not capture the sociopsychological function of the ritual, which became apparent in the interviews—to keep people at a ritualized distance. Possible consequences and negative side effects are also often seen as something that only happens to others: As long as they don’t have direct personal experience with invasion of privacy, at least some users seem to think of privacy risks in terms of a third-person effect. Moreover, the conveniences and grati? ations of Facebook as a social tool seem to override privacy concerns even in those cases where actual invasions of privacy were experienced. This was particularly well ampli? ed in the story of the interviewee whose pro? le was hacked multiple times and who kept coming back to Facebook regardless. The coping strategies that the victims of privacy invasions tend to employ, however, demonstrate the affected users’ urge to regain control. Restricting not only one’s pro? le but also the number of one’s friends is a reasonable strategy, and so are the meaning-making strategies that help to minimize feelings of fear and powerlessness.
Though appropriate, these strategies are circumstantial and opportunistic, rather than expressions of stringent rational behavior—otherwise the risks Facebook poses to privacy would not be taken lightly in the ? rst place. Although this data suggests a third-person effect (perceived risk to the privacy of others is greater than the perceived risk to personal privacy) this may be misleading because in reality users potentially hear about problems or bad stories from many different people and yet only have a singular understanding of their own potential for risk.
In fact, our survey showed that users are actually more likely to take action Journal of Computer-Mediated Communication 15 (2009) 83–108 © 2009 International Communication Association 101 or protect information if a negative experience happens to the self as opposed to hearing about it happening to others. Thus, while a third-person effect is evident in measuring the potential risk of privacy invasion, personal vio