The Reality of Social Network(ing) in the Virtual Space: Decoding

the Behavioural Code

Sandeep Mittal, I.P.S., Joint Secretary (Security), Parliament of India, New Delhi- 110001.
Priyanka Sharma, Professor & Head, IT & Telecom, Raksha Shakti University, Ahmedabad.
Deepak Raj Rao, Asstt. Professor, Computer Forensics, LNJN NICFS (MHA), New Delhi.

Introduction
What could have been the common ground in the stories of Sir John Sayer 1, the
illustrious spy who could not become the chief of MI6 and the Officer Trey Economidy2
of the Albuquerque Police, who was dismissed from the job? Yes, it was their lack of
understanding of the sharpness of the two edges of the ‘social-media-sword’. The
behaviour of user of social networking sites is very crucial in virtual social interactions
not only for common man but also for a law enforcement officer. The issues involved in
handling social media are multiple and complex3, but the attitude of user of social
networking sites is one that is most generic.

The concern about the privacy of the members of the civil society has been
pondering over the minds of the citizens, thinkers, intellectuals, governments and
lawmakers alike during the historical past and present, and perhaps would continue to be
an important social and individual concern in future in any civil society. The general
privacy beliefs are results of complex interaction of social norms and moral value beliefs4
often mediated in space and time by a number of social variables at individual and
collective levels. In real-life social interactions, the individuals have a control over the
personal information shared amongst each other. The personal information thus shared in
physical world has a limited and slow flow to others and generally dissipates with time
with no trace after a relatively reasonable timespan. Its impact on a person’s reputation is
also relatively limited to a relatively close social- circle.

The rise of the Internet, Web 2.0 and easy availability of smart devices has resulted
in an era of privacy development where the use of social network(ing) sites (SNSs) like
Facebook, LinkedIn, Twitter etc. for exchanging information in virtual space has become
the norm.5 These SNSs are used to maintain networks for exchange of information on
anything under the sun, be it the innocent exchange of academic ideas or planning a
terrorist attack around the globe. The personal information exchanged over such SNSs

1
http://www.dailymail.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Facebook-account-
reveals-family-holidays-showbiz-friends-links-David-Irving.html
2
http://cryptome.org/2013/05/fogle/ryan-christopher-fogle.htm
3
http://www.sans.org/reading-room/whitepapers/privacy/risk-assessment-social-media-33940
4
H Jeff Smith, Tamara Dinev and Heng Xu, 'Information privacy research: an interdisciplinary review'
(2011) 35 MIS quarterly 989
5
Alan F Westin, 'Social and political dimensions of privacy' (2003) 59 Journal of social issues 431
generically differ from that in real world in that the persons exchanging information are
not face to face with each other thus compromising the real world controls on the
information, travels fast and far beyond the control of anyone and has perpetual
availability on internet in accordance with the adage “God forgives and forgets but
internet never does…..”6. The user generated content, mostly beyond the knowledge and
comprehension of SNSs’ users, and algorithms of the web aggregating services further
worsens the privacy scenario today with SNSs sensing the every breath and the every step
one takes in real life.
The general privacy, initially defined either by value-based approach or cognate-
based approach, gradually shifted in present information era to ‘privacy as a right’
concept to “control physical space and information”.7 This big data, which has been
disclosed voluntarily or incidentally through interactive (e.g., Online Surveys) or
technological (e.g., Cookies) means has high potential of secondary uses. The SNSs have
emerged as a preferred medium of expression of free speech and exchange of personal
information thus generating large volumes of personal data. This data includes names,
addresses, mobile numbers, dates of birth, emails, geographic locations, health records
like BMI etc. and can aid in committing frauds including identity theft, online slander and
defamation and advertising including the targeted ones for marketing purposes by
monitoring the behavior of users.8 This data is not only stored, aggregated and moved
repeatedly across international boundaries but shared by these sites with third parties for
uses not intended when collected. The user is either not aware or is forced to give his
consent for processing of his data in unambiguous manner and has practically no control
over the personal information disclosed on SNSs. Every visit to a site leaves electronic
footprints revealing substantial information about the user which when aggregated can
reveal lot of personal information about the personality of user and her interests. 9 The
protection of privacy and confidentiality of this personal data at residence and in motion
within and across the borders is a cause of concern10,11,12,13.

6
JEFFREY ROSEN, 'The Web Means the End of Forgetting' The New York Times (New York July 21,
2010) <http://www.nytimes.com/2010/07/25/magazine/25privacy-t2.html?pagewanted=all> accessed
29/10/2017
7
Smith, Dinev and Xu, 'Information privacy research: an interdisciplinary review'
8
Sandeep Mittal, 'Critical Analysis of Divergent Approaches to Protection of Personal Data' (2017) 8
International Journal of Advanced Research in Computer Science 58
9
François Nawrot, Katarzyna Syska and Przemysław Świtalski, Horizontal application of fundamental
rights: Right to Privacy on the Internet (2010)
10
Steven R Salbu, 'European Union Data Privacy Directive and International Relations, The' (2002) 35
Vand J Transnat'l L 655
11
Jerry Kang, 'Information privacy in cyberspace transactions' (1998) Stanford Law Review 1193
12
Jonathan P Graham, 'Privacy, computers, and the commercial dissemination of personal
information' (1986) 65 Tex L Rev 1395
13
David H Flaherty, 'On the utility of constitutional rights to privacy and data protection' (1990) 41
Case W Res L Rev 831
What is Privacy?
A perusal of the scholarly reviews14 on privacy reveals mainly two approaches to
defining the general privacy, viz., value-based and cognate-based, the former being more
prevalent in legal, sociological and political studies while the latter being more explored
in psychological studies. In the present study a mix of these two approaches is used to
explore the cognitive aspect (attitudes towards privacy) and the right-based aspect
(expectations from law to protect privacy). Let us briefly look at these two approaches to
definitions of privacy. As cognate-state approach, the general privacy is defined as “a
state of limited access to a person”15 which narrowed down to Information systems
broadly translates to “a state of limited access to information” 16. As cognate-control
approach the general privacy is defined as “the selective control of access to the self”17
and as “control of transactions between person(s) and other(s), the ultimate aim of which
is to enhance autonomy or/and to minimize vulnerability” 18. The privacy has a cultural
context too. 19
As a right-based approach, the general privacy is treated differently in different parts of
the world, e.g., in the EU, privacy is seen as a fundamental human right; while in the
U.S., privacy is seen as a commodity subject to the market and is cast in economic
terms. The varying cultural backgrounds of the societies of EU and US were reflected in
their contrasting approaches to protection of privacy initially. With globalisation of
businesses due to internet revolution, the economic considerations out-weighed right
consideration and right based approach started buckling under the pressure of economic
based approach. However the Schrem’s case20 put a brake to this tendency.
In the realm of computer-mediated communication like social networking, the
privacy has been visualised as a tension between opening and closing a personal
boundary to others. The privacy boundary can range from complete openness (reflecting
willingness for information disclosure or giving access) to complete closeness
(reflecting unwillingness for information disclosure or giving access). 21 This
Communication Privacy Management (CPM) Theory expands Altman’s original concept
of privacy regulation by complex interplay of a set of privacy rules at individual, dyadic,

14
Smith, Dinev and Xu, 'Information privacy research: an interdisciplinary review'
15
Ferdinand Schoeman, 'Privacy: philosophical dimensions' (1984) 21 American Philosophical
Quarterly 199
16
Smith, Dinev and Xu, 'Information privacy research: an interdisciplinary review'
17
Irwin Altman, 'The Environment and Social Behavior: Privacy, Personal Space, Territory, and
Crowding' (1975)
18
Stephen T Margulis, 'Conceptions of privacy: Current status and next steps' (1977) 33 Journal of
Social Issues 5
19
Irwin Altman, 'Privacy regulation: Culturally universal or culturally specific?' (1977) 33 Journal of
social issues 66
20
Maximillian Schrems v Data Protection Commissioner, C-362/14, Court of Justice of the European
Union (Court of Justice of the European Union)
21
Sandra Petronio, 'Brief status report on communication privacy management theory' (2013) 13
Journal of Family Communication 6
and group levels with a focus on the management of private information. When these
privacy rules are not coordinated, boundary turbulence occurs.22

The Social Network(ing) Sites (SNSs)

While the two terms have been used interchangeably, the scholars have
distinguished between “social network site” and “social networking site”, the former
being “unique (in) not that they allow individuals to meet strangers, but rather that they
enable users to articulate and make visible their social networks” resulting in frequent
connections between individuals (“latent ties”) who share some offline connection, while
the latter “emphasizes relationship initiation, often between strangers”.23,24 However with
the advent of Web 2.0 after this distinction was made, it has almost faded away and for
the purpose of this study we use the term “Social Network(ing) Site” (SNSs) to mean and
include features of the two.
The basic definition of SNSs25 as expanded by Scholars includes the following
structural elements, 26
a) A feature to build friends list and restrict access to users’ personal data
to this group or its subset.
b) Pre-structured ‘user profiles’ disclosing personal information.
c) Disclosure of some data in free form.
d) A ‘timeline’ amalgamating personal data disclosed by different users
at different times in different context to the site.
e) Non-explicit disclosure of personal data.
While these features are the raisons d'etre of social networking, at the same time
are the very cause for most of the data privacy concerns.27

The Privacy and the Social Network(ing) Sites

In course of social interactions in the physical world, while an individual uses his
physical senses to perceive and manage threats to his privacy, he has no such social and
cultural cues to evaluate the target of self-disclosure in a visually anonymous online
space of SNSs. Therefore, while the cognitive management of protection of privacy in
offline world is performed unconsciously and effortlessly, deliberate actions are required

22
Stephen T Margulis, 'Three theories of privacy: An overview', Privacy online (Privacy online, Springer
2011)
23
Nicole B Ellison, 'Social Network Sites: Definition, History, and Scholarship' (2007) 13 Journal of
Computer-Mediated Communication 210
24
Caroline Haythornthwaite, 'Social networks and Internet connectivity effects' (2005) 8 Information,
Community & Society 125
25
Ellison, 'Social Network Sites: Definition, History, and Scholarship'
26
Lilian Edwards, '13. Privacy, law, code and social networking sites' (2013) Research Handbook on
Governance of the Internet 309
27
Ibid
for effective self-protection are required on SNSs.28 These deliberative actions can be
understood in terms of the “Theory of Planned Behavior” (TPB)29,30,31 which stipulates
that “an individual’s intention is a key factor in predicting his or her behavior and the
intentions are shaped based on attitude, subjective norms and perceived behavioral
control (Figure 1).

Figure 1 Theory of Planned Behaviour

As a general rule, the more favorable the attitude and subjective norm, and greater
the perceived control, the stronger is the person’s intention to perform a behavior”32. The
TPB has been proposed to be a useful and relevant theoretical frame work for online
privacy protection on SNSs.33 However, it is not out of the context to mention that
several situational, contextual and demographic factors influence he privacy related
attitude, belief and behaviour of an individual.

Understanding the Attitudes towards Privacy on SNSs

Several theoretical and empirical studies across disciplines have been conducted
to understand the attitudes on privacy and data privacy protection laws in jurisdictions
worldwide. A few findings relevant to the present work are enumerated here,

28
Mike Z Yao, 'Self-protection of online privacy: A behavioral approach', Privacy Online (Privacy Online,
Springer 2011)
29
Icek Ajzen, 'From intentions to actions: A theory of planned behavior', Action control (Action control,
Springer 1985)
30
Icek Ajzen, 'The theory of planned behavior' (1991) 50 Organizational behavior and human decision
processes 179
31
Icek Ajzen and Martin Fishbein, 'The influence of attitudes on behavior' (2005) 173 The handbook of
attitudes 31
32
Sandeep Mittal, 'Understanding the Human Dimension of Cyber Security' (2015) 34 Indian Journal of
Criminology and Criminalistics 141
33
Yao, 'Self-protection of online privacy: A behavioral approach'
 (a) Information disclosures by SNSs’ users is associated with their
level of concern for privacy.34,35,36
(b) SNSs’ users are aware of privacy setting and change default
settings as per their need.37,38,39,40,41,42
(c) Perception of trust by SNSs’ users improves with greater
information disclosure by SNSs.43,44
(d) Privacy Policies of SNSs help in protecting privacy of SNSs’
users.45
(e) Disclosure of personal information on SNSs is a bargaining
process where perceived benefits and gratifications of networking
outweigh the privacy.46,47,48
(f) More knowledge and experience of using the Internet improves
privacy concern of SNSs’ users.49,50
(g) Demographic factors influence SNSs’ user’s privacy behavior.51,52

34
Ralph Gross and Alessandro Acquisti, Information revelation and privacy in online social networks
(ACM 2005)
35
Nicole B Ellison and others, 'Negotiating privacy concerns and social capital needs in a social media
environment', Privacy online (Privacy online, Springer 2011)
36
Zeynep Tufekci, 'Grooming, gossip, Facebook and MySpace: What can we learn about these sites
from those who won't assimilate?' (2008) 11 Information, Communication & Society 544
37
Gross and Acquisti, Information revelation and privacy in online social networks
38
Katherine Strater and Heather Richter, Examining privacy and disclosure in a social networking
community (ACM 2007)
39
Susan B Barnes, 'A privacy paradox: Social networking in the United States' (2006) 11 First Monday
40
Fred Stutzman and Jacob Kramer-Duffield, Friends only: examining a privacy-enhancing behavior in
facebook (ACM 2010)
41
Catherine Dwyer, Starr Hiltz and Katia Passerini, 'Trust and privacy concern within social networking
sites: A comparison of Facebook and MySpace' (2007) AMCIS 2007 proceedings 339
42
Joseph P Mazer, Richard E Murphy and Cheri J Simonds, 'I'll see you on “Facebook”: The effects of
computer-mediated teacher self-disclosure on student motivation, affective learning, and classroom
climate' (2007) 56 Communication Education 1
43
Ibid
44
Dwyer, Hiltz and Passerini, 'Trust and privacy concern within social networking sites: A comparison
of Facebook and MySpace'
45
Bernhard Debatin and others, 'Facebook and Online Privacy: Attitudes, Behaviors, and Unintended
Consequences' (2009) 15 Journal of Computer-Mediated Communication 83
46
Ibid
47
Jochen Peter and Patti M Valkenburg, 'Adolescents’ online privacy: Toward a developmental
perspective', Privacy online (Privacy online, Springer 2011)
48
Ellison and others, 'Negotiating privacy concerns and social capital needs in a social media
environment'
49
Robert LaRose, Dana Mastro and Matthew S Eastin, 'Understanding Internet usage: A social-
cognitive approach to uses and gratifications' (2001) 19 Social science computer review 395
50
Yao, 'Self-protection of online privacy: A behavioral approach'
The Indian Scenario
In India, the maiden research study to understand the behavioural dynamics of
users of social networking is by Mittal & Sharma (2017)53, the main findings of which
are summarized as follows,

a) The three most important personal information identified are financial

information (59%), Aadhaar, Passport, License (56%), and Biometrics (46%). The
friends’ list (4%), work history (5%) and medical information (12%) are not considered
as important personal information.
b) the most important reason for information disclosure was denial of access by
SNSs if the information is not disclosed (63%) followed by urge to connect with others
(31%).
c) The three most important risks of information disclosure identified are data
sharing without consent (86%), identity theft (75%) and frauds (72%).
d) The monitoring and recording of behavior is a major privacy concern (87%).
e) The acts of users to protect their identity in daily life and on SNSs are similar.
f) While majority of respondents read privacy policy (53%) only 18% understand
the same. The majority of respondents failed to adopt a change after reading privacy
policy (53%). The lengthy and complex text was a major reason for ignoring the privacy
policy (59%).
g) The majority perceived only partial control over disclosed information (52%).
h) The majority was not comfortable with SNSs collecting their personal data for
commercial advertisements (55%).
i) The majority of respondents (55%) wanted their explicit consent to be always
taken.
j) The majority did not trust default settings (43%).
k) While 43% of respondents perceive a part role for all stakeholders including
Government, 19% envisaged full responsibility of Government to protect their
information.

As the attributes of the routine social interactions in physical world are missing in the
virtual world of SNSs and the artificial intelligence algorithms on the prowl, learning
about the every minute aspect of the user’s behavior, the actual attitudes of users would

51
Stutzman and Kramer-Duffield, Friends only: examining a privacy-enhancing behavior in facebook
52
Tufekci, 'Grooming, gossip, Facebook and MySpace: What can we learn about these sites from those
who won't assimilate?'
53
Mittal Sandeep and Sharma Priyanka, ‘A Study of the Privacy Attitudes of Users of Social
Network(ing) Sites and their Expectations from Law in India’, Accepted for publication in Proceedings of
the WICT-2017 (Springer 2017)
begin to change at a rapid pace. It remains to be seen if the human intelligence would be
able to defy the artificial intelligence or vice versa, thereby, necessitating a changed
perception about the data privacy law also. The law enforcers would do well to
understand these behavioural patterns to deal with their clients in recent future.