30th International Conference of Data Protection and Privacy Commissioners
Strasbourg, 17 October 2008
Resolution on Privacy Protection in Social Network Services
Propor: Data Protection and Freedom of Information Commissioner of the State of Berlin, Germany
Co-sponsors:
Commission Nationale de l’Informatique et des Liberts (CNIL), France;
Federal Commissioner for Data Protection and Freedom of Information,
Germany;
Garante per la protezione dei dati personali, Italy;
College Bescherming Persoonsgegevens (The Netherlands)
Privacy Com"致富好项目 "
missioner, New Zealand;
Federal Data Protection and Information Commissioner (FDPIC), Switzerland
Resolution
Social network rvices1 have become very popular in recent years. Among other things, the rvices offer means for their subscribers to interact bad on lf-generated personal profiles, which support an unprecedented level of disclosure of personal information about the individuals concerned (and others). While social network rvices offer a new range of opportunities for communication and real-time exchange o无聊的聊怎么写
f all kinds of information, the u of the rvices can also爱国爱党诗歌
place the privacy of its urs – and others – at risk: Personal data about individuals become publicly (and globally) available in an unprecedented way and quantity, including huge quantities of digital pictures and videos. Individuals face the possible loss of control over how data will be ud by others once they are published on the network: While the “community” basis of social networks suggests that publishing one’s own personal data would just remble sharing information with friends as it ud to be face-to-face, profile information may in fact be available to an entire subscriber community (numbering in the millions).
Very little protection exists at prent against copying any kind of personal data from profiles – by ot
her network members, or by unauthorid third parties from outside the network – and using them for building海棠花几月份开花
personal profiles, or re-publishing the data elwhere. It can be very hard – and sometimes even impossible – to have information thoroughly removed from the Internet once it is published: Even after deletion from the original site (e.g. the social network), copies may rest with third parties or with the social network rvice providers. Personal data from profiles may also “leak” outside the network when they are indexed by arch engines. In addition, some social network rvice providers make ur data available to third parties via application programming interfaces, which are then under control of the third parties.
One example of condary us that has gained wide public attention is the practice of company personnel managers crawling ur profiles of job applicants or employees: According to press reports, one third of human resources managers already admit to u data from social network rvices in their work, e.g. to verify and/or complete details of job applicants.
1
“A social network rvice focus on the building and verifying of online social networks for communities of people who share interests and activities, or who are interested in exploring the inter
ests and activities of others […]. Most rvices are primarily web bad and provide a collection of various ways for urs to interact […]”. Quoted from Wikipedia:
/wiki/Social_network_rvice .
Profile information and traffic dat郦食其
a are also ud by providers of social network rvices for delivering targeted marketing messages to their urs.
It is very likely that other unexpected us for the information in ur profiles will emerge in the future.
Other specific privacy and curity risks already identified include incread risks of identity fraud fostered by the wide availability of personal data in ur profiles, and by possible hijacking of profiles by unauthorid third parties. The 30th International Conference of Data Protection and Privacy Commissioners recalls that the risks have already been analyzed in the “Report and Guidance on Privacy in Social Network Services” (”Rome Memorandum”)2 of the 43rd meeting of the International Working Group on Data Protection in Telecommunications (3-4 March 2008), and in the ENISA Position Paper No.1 “Security Issues and Recommendations for Online Social Networks”3 (October 2007).
The Data Protection and Privacy Commissioners convened at the International Conference are convinced that 三合钙咀嚼片
it is necessary, in the first place, to carry out an in-depth information campaign involving all public and private stakeholders – from governmental authorities to educational institutions, such as schools, from providers of social network rvices to consumer and ur associations, and including the Data Protection and Privacy Commissioners themlves – in order to prevent the multifarious risks associated with the u of social network rvices.
Recommendations
Given the special nature of the rvices, and short and long term privacy risks to individuals, the Conference offers the following recommendations to urs and providers of social network rvices:
Urs of Social Network Services
Organisations having an interest in the wellbeing of urs of social networks – including rvice providers, governments and Data Protection Authorities – should help educate urs to protect their personal data and communicate the following messages.
1. Publication of information
Urs of social network rvices should consider carefully which personal data – if any – they publish in a social network profile. They should keep in mind that they may be confronted with any information or pictures at a later stage, e.g. in a job application situation. In particular, minors should avoid revealing their home address or telephone number.
Individuals should consider the ufulness of using a pudonym instead of their real name in a profile. However, they should keep in mind that the u of pudonyms offers limited protection, as third parties may be able to lift such a pudonym.
2. Privacy of other individuals
Urs should also respect the privacy of others. They should be especially careful with publishing personal information about somebody el (including pictures or even tagged pictures) without that other person’s connt.
2
www.datenschutz-berlin.de/attachments/461/WP_social_network_rvices.pdf?1208438491
3
isa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf
Providers of Social Network Services
Providers of social network rvices have a special responsibility to consider and act in the interests of individuals using social networks. In addition to meeting the requirements of data protection law they should also implement the following recommendations.
1. Privacy regulations and s适合女生唱的歌
tandards
Providers operating in different countries or even globally should respect the privacy standards of the countries where they operate their rvices. To that end, providers should consult with data protection authorities as necessary.
2. Ur information
Providers of social network rvices should inform their urs about the processing of their personal data in a transparent and open manner. Candid and intelligible information should also be given about possible conquences of publishing personal data in a profile and about remaining curity risks, as well as about possible legal access by third parties ( law enforcement). Such i
nformation should also compri guidance on how urs should handle personal information about others contained in their profiles.
3. Ur control
Providers should further improve ur control over the u of their profile data by community members. They should allow for restriction of visibility of entire profiles, and of data contained in profiles, and in community arch functions.
Providers should also allow for ur control over condary u of profile and traffic data;
< for targeted marketing purpos. As a minimum, opt-out for general profile data, and opt-in for nsitive profile data (e.g. political opinion, xual orientation) and traffic data should be offered.
4. Privacy-friendly default ttings
Furthermore, providers should offer privacy-friendly default ttings for ur profile information. Default ttings play a key role in protecting ur privacy: It is known that only a minority of urs signing up to a rvice will make any changes. Such ttings must be specifically restrictive when a social network rvice is directed at minors.
5. Security
Providers should continue to improve and maintain curity of their information systems and protect urs against fraudulent access to their profile, using recognid best pract土建造价员
ices in planning, developing, and running their applications, including independent auditing and certification.
6. Access龙眼核
rights
Providers should grant individuals (regardless of whether they are members of the social network rvice or not), the right to access and, if necessary, correct all their personal data held by the Provider.
7. Deletion of ur profiles
Providers should allow urs to easily terminate their membership, delete their profile and any content or information that they have published on the social network.
8. Pudonymous u of the rvice
Providers should enable the creation and u of pudonymous profiles as an option, and encourage the u of that option.
9. Third party access
Providers should take effective measures to prevent spidering and /or bulk downloads (or bulk harvesting) of profile data by third parties
10. Indexibility of ur profiles
Providers should ensure that ur data can only be crawled by external arch engines if a ur has given explicit, prior and informed connt. Non-indexibility of profiles by arch engines should be a default tting.
