Schneier on Security
A blog covering security and security technology.
« The Effectiveness of Political Assassinations |
| Personal Code Ink »
April 20, 2010
Young People, Privacy, and the Internet
There's a lot out there on this topic. I've already linked to danah boyd's excellent SXSW talk (and her work in general), my essay on privacy and control, and my talk -- "Security, Privacy, and the Generation Gap" -- which I've given four times in the past two months.
Last week, two new papers were published on the topic.
"Youth, Privacy, and Reputation" is a literature review published by Harvard's Berkman Center. It's long, but an excellent summary of what's out there on the topic:
Conclusions: The prevailing discourse around youth and privacy assumes that young people don't care about their privacy because they post so much personal information online. The implication is that posting personal information online puts them at risk from marketers, pedophiles, future employers, and so on. Thus, policy and technical solutions are proposed that presume that young would not put personal information online if they understood the consequences. However, our review of the literature suggests that young people care deeply about privacy, particularly with regard to parents and teachers viewing personal information. Young people are heavily monitored at home, at school, and in public by a variety of surveillance technologies. Children and teenagers want private spaces for socialization, exploration, and experimentation, away from adult eyes. Posting personal information online is a way for youth to express themselves, connect with peers, increase popularity, and bond with friends and members of peer groups. Subsequently, young people want to be able to restrict information provided online in a nuanced and granular way.
Much popular writing (and some research) discusses young people, online technologies, and privacy in ways that do not reflect the realities of most children and teenagers’ lives. However, this provides rich opportunities for future research in this area. For instance, there are no studies of the impact of surveillance on young people-- at school, at home, or in public. Although we have cited several qualitative and ethnographic studies of young people’s privacy practices and attitudes, more work in this area is needed to fully understand similarities and differences in this age group, particularly within age cohorts, across socioeconomic classes, between genders, and so forth. Finally, given that the frequently-cited comparative surveys of young people and adult privacy practices and attitudes are quite old, new research would be invaluable. We look forward to new directions in research in this area.
"How Different Are Young Adults from Older Adults When it Comes to Information Privacy Attitudes & Policy?" from the University of California Berkeley, describes the results of a broad survey on privacy attitudes.
Conclusion: In policy circles, it has become almost a cliché to claim that young people do not care about privacy. Certainly there are many troubling anecdotes surrounding young individuals’ use of the internet, and of social networking sites in particular. Nevertheless, we found that in large proportions young adults do care about privacy. The data show that they and older adults are more alike on many privacy topics than they are different. We suggest, then, that young-adult Americans have an aspiration for increased privacy even while they participate in an online reality that is optimized to increase their revelation of personal data.
Public policy agendas should therefore not start with the proposition that young adults do not care about privacy and thus do not need regulations and other safeguards. Rather, policy discussions should acknowledge that the current business environment along with other factors sometimes encourages young adults to release personal data in order to enjoy social inclusion even while in their most rational moments they may espouse more conservative norms. Education may be useful. Although many young adults are exposed to educational programs about the internet, the focus of these programs is on personal safety from online predators and cyberbullying with little emphasis on information security and privacy. Young adults certainly are different from older adults when it comes to knowledge of privacy law. They are more likely to believe that the law protects them both online and off. This lack of knowledge in a tempting environment, rather than a cavalier lack of concern regarding privacy, may be an important reason large numbers of them engage with the digital world in a seemingly unconcerned manner.
But education alone is probably not enough for young adults to reach aspirational levels of privacy. They likely need multiple forms of help from various quarters of society, including perhaps the regulatory arena, to cope with the complex online currents that aim to contradict their best privacy instincts.
They're both worth reading for anyone interested in this topic.
Posted on April 20, 2010 at 1:50 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Children today have a much better idea of real-world risks than their parents and teachers do.
Ie: they realize that the likelihood of someone tracking them down and hurting them as a result of posting some information online is vanishingly small.
These kids, unlike their parents, understand that there is no boogyman under every bush.
(government statistic show that, per capita, children today are as safe or safer than their counterparts 30 years ago).
I agree, but that only applies to the "bogeyman" risk that seems to be the only risk to children online that people care about. Kids know that it's very unlikely that they'll get kidnapped based on info they put up on the internet.
Kids have the same problems the rest of us do with regard to privacy on the internet - identity fraud, overly zealous law enforcement, etc. They're just less likely to know about them, both because of a general lack of experience and because they know they're being fed a load of FUD about the "cyber-molesters," so they're even less likely to listen to someone telling them about the real problem. They're so busy (correctly) ignoring the fake problem that they ignore the real one, too.
"Children today have a much better idea of real-world risks than their parents and teachers do."
Of course they do, kids know everything. Until they become adults and realize how stupid they really are.
That's called growing up.
I guess our amusing quips aren't so amusing after all?
Well here's a real response: "Children today have a much better idea of real-world risks than their parents and teachers do."
I don't know where this statement is stemming from, or what data you're basing this on, but I don't agree at all.
Children by definition have far less life experience to draw upon, hence could scarcely be assumed to have more (or more accurate) abilities to assess risk.
Children, teens primarily, are generally reckless and experimental. This phase is (I'm assuming) evolution's little contribution to molding a fine adult human specimen, in that during periods of believing you're invulnerable, and wanting to take on the world just for the hell of it, one begins to learn just what the realities and consequences of ones actions turn out to be.
There are many things in life only learned through experience, and frankly, while children may be better able (or more willing) to logically crunch the statistics on things like stranger danger than their parents/elders, they certiainly aren't better judges of, say, whether the guy that's giving them a creepy stare on the street is just a harmless nutter, or someone that potentially means them harm. Just one example, but beat the hell out of it if you like (obviously no one can read minds).
My point though, is that some things are only learned through experience, and I would say that *most effective risk assessment is learned through experience. If all it took were numbers to assess risk, no one who valued their life would ever get into an automobile.
Needless to say, though, no human's experiences equal the experiences of the next.
er... well our comments *we're deleted for a minute there, unless I'm going insane?
I saw it too. Scary!
"Young people are heavily monitored at home, at school, and in public by a variety of surveillance technologies. Children and teenagers want private spaces for socialization, exploration, and experimentation, away from adult eyes. Posting personal information online is a way for youth to express themselves, connect with peers, increase popularity, and bond with friends and members of peer groups."
My immediate reaction: Well, DUH.
"My point though, is that some things are only learned through experience, and I would say that *most effective risk assessment is learned through experience."
I have no argument with your statement. Alas, you used the word 'effective'. What real-world experience motivates parents in a gated community to drive their ten-year-old children 500 yards to the bus stop and *wait* there (in clusters of parked cars) until the bus arrives?
My point is that children are more rational about this sort of thing than their parents are. Sure, it is a generalization, and there will be exceptions, but most kids have a better sense of online risks than their parents do (especially since most of their parents have no clue what their kids do online).
"What real-world experience [...]?"
Obviously a question I cannot answer, but using one crazy mother/father as an example doesn't resound your point with anymore authority.
I don't believe that kids have a better sense of online risks than their parents do. A more accurate characterisation is that parents have a completely unrealistic sense of online risks and kids don't make an assessment at all. That makes the kids' behaviour match the actual risk better than the parents but it doesn't imply that the kids "have a sense of online risk"
Kids today might be more *cynical* than the previous generation, but I don't think they're any more security conscious than the older generation.
The original article talks about young people and privacy because social networking employs a majority of younger people, not because the privacy or security issues are different, I think.
"A more accurate characterisation is that parents have a completely unrealistic sense of online risks and kids don't make an assessment at all."
Exactly. It is possible to arrive at the "correct" response through an incorrect process and/or with incorrect information.
"What real-world experience motivates parents in a gated community to drive their ten-year-old children 500 yards to the bus stop and *wait* there (in clusters of parked cars) until the bus arrives?"
You've not met many trophy wives or their ex-husbands?
The only threat to children online is their parents stumbling on the content they post. Their parents are the only people in a position to hurt them (i.e. via curfews, makework, lectures, etc.).
It's simple isn't it? If you post your personal information on the Internet, you do not care about your privacy.
That is why if I search the Internet for my real name using any search engine, none are the results are for me: I care about my privacy.
"Their parents are the only people in a position to hurt them"
I do not think so - (cyber)bullying is real and kids are rarely in a position to ignore a load of ridicule or even hate from their peer group. Being grounded for a week may seem hard to the kid for the week - but having camshots showing the kid in an embarrassing or personal situation on the phones of all its (on- and offline) friends lasts definitely longer.
With the new face recognition abilities and automatic tagging of photos in online communities it might even ruin future prospects of getting an internship and whatnot. It is a fact that kids do not comprehend the long term effects of certain actions.
We were just lucky in our youth that these techniques did not exist yet.
It is like STD - after the pill and before HIV one could have sex without having to face severe consequences. Since the eighties this it not so anymore.
Same with party photos today: in former time these fotos and informations would be forgotten and be inaccessible to future employers or friends. With the digital age and social networks and so on this is not so anymore. What kids (and not only kids) lack is some kind of mental condom to protect from the consequences.
"What real-world experience motivates parents in a gated community to drive their ten-year-old children 500 yards to the bus stop [...]"
Sorry to interrupt with some very not-american view on such problems, but having watched US-TV - especially news - on visits there, the answer seems obvious to me. It is an impression of a real-world that motivates over-protectiveness.
I found myself wondering whether I am actually providing the search engine with personal information while I was refining the search for my own name with additional keywords. (I wanted to know what kind of information one finds about me, if he has additional knowledge, for I am blessed with a name that is rather common.)
Is this all that ground-breaking? I've just edited the conclusion slightly & wonder if anyone would disagree with it:
"The prevailing discourse around human beings and privacy assumes that people don't care about their privacy because they post so much personal information online. The implication is that posting personal information online puts them at risk from marketers, pervs, present & future employers, and so on. Thus, policy and technical solutions are proposed that presume that people would not put personal information online if they understood the consequences. However, our review of the literature suggests that people care deeply about privacy, particularly with regard to anybody uninvited viewing personal information. People are heavily monitored at work and in public by a variety of surveillance technologies. Human beings want private spaces for socialization, exploration, and experimentation, away from prying eyes. Posting personal information online is a way for people to express themselves, connect with peers, increase popularity, and bond with friends and members of peer groups. Subsequently, people want to be able to restrict information provided online in a nuanced and granular way.
@ Nick "If you post your personal information on the Internet, you do not care about your privacy."
This idiocy get recycled over and over again. Privacy, like security, is _not_ binary. Or do you also fear to use any computer connected to the Internet, because "you care about your security"?
The real question you should be asking is "When I post my personal information on the Internet in a particular fashion X in order to attempt to attain goal Y, am I actually profiting?" In order to answer this question, one needs to know/estimate the weighted risks of posting in that fashion vs. the (again weighted) advantages.
"It's simple isn't it? If you post your personal information on the Internet, you do not care about your privacy."
Everyone I know who is a privacy advocate, everyone I know who works to protect privacy, and everyone I know who cares about their privacy, posts personal information on the Internet. Everyone, no exceptions. (I presume there are people who care about their privacy and don't post personal information on the Internet, but I don't know them.)
No, it's not simple. If it were simple, we wouldn't be having these discussions.
"That is why if I search the Internet for my real name using any search engine, none are the results are for me: I care about my privacy."
Good luck with that. There is probably very little to worry about as far as publicly-accessible information about you on the Internet. If you care anything at all about privacy, you ought to be far more concerned about the pay-for-access databases maintained by corporations.
@Nick: ""It's simple isn't it? If you post your personal information on the Internet, you do not care about your privacy.""
For one, it depends on what you define as "posting personal information on the Internet." This no doubt includes public blogs or web pages. But what else does it include? (and different people see it differently.) Is posting on Facebook included, as you have some control over who sees it? What about secure connections with a business, financial institution, or government? If you type in your SSN masked to the IRS's secure connection to get information on your tax return, is that posting it on the Internet, or is it simply that the Internet is the communication channel?
There are varying degrees of publicity, security, disclosure, and control. One can differ over what "posting on the Internet" includes.
I would wager that very few internet users never submit their private info using the Internet. The Internet serves a purpose, and like all mediums it can be used and misused.
This is what a lot of people misunderstand about Personally Identifiable Information (PII). It will ALWAYS be disclosed, otherwise it is useless. And other parties will always have it, otherwise it can't really identify someone personally (else, you can enter any name, any SSN, and no one can prove it is bogus). As Bruce has pointed out, the key is controls over usage, as controls over disclosure can only do so much.
Good question, but the answer hinges on definitions that are not black and white. Too much grey.
Let me know the info you are using to search.. I'll let you know what I find out!
@RobS: I think you are part right, in that kids don't "calculate it".. The thing is, is it worth even calcuating in some respects?
I know it has come out that theifs are using Facebook/Twitter status messages to see what houses might be vacant. But what are the odds still that your house is going to be burglarized?
Of course, when they find out that they have an alarm company, house sitter, and a dog still occupying the house -- think they'd be disappointed?
@AppSec: "I know it has come out that theifs are using Facebook/Twitter status messages to see what houses might be vacant. But what are the odds still that your house is going to be burglarized?"
The list of suspects would probably be only as large as the list of friends. Not to mention, most co-workers and friends and many others who aren't on facebook learn about vacation time anyway.
I remember someone a long time ago, their daughter died. Obviously, the family would be at the funeral, as well as friends and any neighbors that weren't at work. This poor family got robbed blind during the funeral. The newspaper was a pretty good indicator of a target in this case.
I personally don't post when I'll be out of town, just like I don't do out of office messages on my work email as to not target my account and office. This isn't because I think it is a huge worry when someone does it, it's just easy not to do.
I'm sure the house sitter and my three dogs would be a good deterrent during my vacations if I thought differently.
@HJohn: The list of suspects would probably be only as large as the list of friends. Not to mention, most co-workers and friends and many others who aren't on facebook learn about vacation time anyway.
That depends on who you let follow your twitter account or who you friend.
Slightly oddly this very subject came up yesterday evening on BBC Radio 4 and Ross J Anderson gave a couple of interesting examples in passing as did a couple of other people.
You (might) be able to down load the audio off of the BBC Web site (depending on where you are in the world),
Also the NO2ID website has a comments page,
I was interested to see this same research reported on (http://www.out-law.com//default.aspx?page=10952) under the succinct title:
Young care about privacy but have deluded sense of legal protection, says research.
@Vidkid Ie: they realize that the likelihood of someone tracking them down and hurting them as a result of posting some information online is vanishingly small.
Tell that to the individuals who are targeted by stalkers. Granted the risk may be somewhat small; but ask yourself do you want to take that chance - what do you stand to lose if you guess wrong.
Kids may have a better idea of the risks but do they know how to mitigate them, manage them, avoid the truly serious and harmful ones or deal with the situation or circumstance when risk become reality or inintended consequences that also create risk?
Kids may also have a better understanding of on-line risks but how equipped are they to deal with those times when on line risks and the actions taken on-line have real work consequences? For example - identity theft on-line threat - real world consequences - loss of money, loss of time spent repair the damage to reputation, inability to get credit, a job, buy a house - long term black mark on credit reports.
Closer to home for college admissions or jobs - employers routinely Google applicants especially in this tight hiring market - wild escapades can lead to being turned down for jobs - losing scholarships. What is on line does not always stay only on line.
The recent cyberbullying cases are a prime example of real world tragedies stemming from actions taken online.
"If you post your personal information on the Internet, you do not care about your privacy."
I've found the converse, actually. If you try to keep your personal information off the Internet it will most likely get there anyway and stand out as highly reliable personal information. If you post oodles and oodles of personal information on the Internet -- a form of propagandized disinformation, if you will -- then you will gain privacy.
Celebrities are experts in this field. It's hardly new to them and we can learn a lot by modeling their privacy controls.
Glad you cited the UC Berkeley School of Information study. I'm not surprised there is little difference between young/old. I think the split will be found related more to values instead of ages.
HJohn: "The list of suspects would probably be only as large as the list of friends. Not to mention, most co-workers and friends and many others who aren't on facebook learn about vacation time anyway."
Or the list of suspects could include anyone capable of using a search engine. These things aren't as private as they should be and the companies profit more from making it public.
@AppSec at April 21, 2010 9:41 AM
@anonymous at April 21, 2010 12:42 PM
Good points. I was speaking of Facebook, tunnel vision on my part. Main point being is there are a lot of ways people can get info, but both of you already know that.
I figure I'd drop a comment on this one, just so that nobody thought the other "Nick" was me. (His post was too short, for starters. ;) I think his statement is partly true in that there is no reasonable expectation of privacy on the Internet like you would get with a private conversation in the woods, in a classroom or even in a cafe. This is true because of pervasive technical/procedural vulnerabilities, ease of exploiting virtual vs physical flaws, greater number of attackers with diverse motivations, residual information in logs/whatever, unencrypted "private" traffic sent through unknown/untrusted intermediaries, and poor privacy practices by many web sites. So, if "to care" means you act like it, then he would be correct in saying that you don't "care" if you put information online [in general, I'll add].
My personal approach, though, is somewhat different. I look at like like any other risk management scenario: there's threats, there's foes, and there's the odds. I try to figure out how much risk I'm taking when putting any piece of information online. I also figure out what kind of risk and how long it will be with me once I post. Then, I choose to accept or reject that risk. It's that simple. The biggest problem is that I don't have time to really analyze the situation most of the time, so I have to go with my intuition and make a spot judgment. So, posting online is a risk like any other, just with different factors to consider. That said, the risk of private becoming public is usually ten to hundreds of thousands (estimate) of times higher than any face-to-face private conversation I have.
Y'all are going to think I'm paranoid, but bear with me.
I think much of the older generations are more historically and politically aware, also... They have their reasons to distrust facebook and the likes, and so they specifically use it in the manner you suggested, never getting into anything serious. It seems that security by obscurity is the last line of defense against becoming a commodity in the big brother industry.
"In-Q-Tel, the investment arm of the CIA and the wider intelligence community, is putting cash into Visible Technologies, a software firm that specializes in monitoring social media. It's part of a larger movement within the spy services to get better at using 'open source intelligence' -- information that's publicly available, but often hidden in the flood of TV shows, newspaper articles, blog posts, online videos and radio reports generated every day."
Add to this the handful of identity-reconciliation companies (e.g. Initiate Systems) that gladly "assist" companies with their human-tracking needs, and you've got a whole new meaning for PII.
Better yet, if enough people share your name, they'll even do the work for you! With historical records online, they needn't even be alive . . .
(Yes, this will only work with the casual Googler, as opposed to anyone with the know-how or means to employ more sophisticated or just plain expensive techniques. Fortunately, there aren't that many of the latter . . . )
@ Jiminy K
"Fortunately, there aren't that many of the latter..."
I wouldn't be so sure. I've met quite a few in this rural area I moved to. I met a few in the last place. Anytime I meet a few people into something, there's usually many more I don't meet. Even if I discount that, though, the most conservative extrapolations that say one or two in each town/city/area put the number in the tens of thousands. And every one of those guys I've met is a highly active user of their skills.
So, I wouldn't be so sure. Now or later. ;)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.