Study on the Privacy of Personal Data
and on the Security of Information in
This publication belongs to the Instituto Nacional de Tecnologías de la Comunicación –INTECO- (Spanish National Institute of Communication Technologies (INTECO) and the Agencia Española de Protección de Datos –AEPD- (Spanish Data Protection Agency), is under a Creative Commons Spain 2.5 Attribution Non-commercial license, and for this reason copying, distributing and displaying this work is permitted under the following circumstances:
• Attribution: The content of this report can be totally or partially reproduced by third parties, specifying its source and expressly referring to both INTECO and AEPD its website: www.inteco.es, www.agpd.es. This attribution can in no event suggest that INTECO or AEPD provides this third party support or supports the use made of its work.
• Non-commercial Use: The original material and the resulting works can be distributed, copied and shown as long provided that it is not for commercial purposes.
When the work is reused or distributed, its license terms must be made very clear. Some of these conditions may be not be applicable if the copyright license is not obtained from INTECO and the AEPD. Nothing in this license impinges or restricts INTECO's and AEPD's moral rights.
Full license text: http://creativecommons.org/licenses/by-nc/2.5/es/
EXECUTIVE SUMMARY ...7
I Situation: definition of a social network...7
II Analysis of the most relevant aspects and specific problems of social networks....8
III Proposals and recommendations to the parties involved in social networks...12
1 INTRODUCTION AND OBJECTIVES...20
1.1.1 Spanish National Institute of Communication Technologies (INTECO)...20
1.1.2 Spanish Data Protection Agency...21
1.2 Contextualizing the study...22
1.3 Objectives of the Study...23
1.4.1 Phase I. Data Collection and Fieldwork...24
1.4.2 Phase II. Information Analysis...28
1.4.3 Phase III. Recommendations and conclusions...29
1.5 Content Structure...30
2 SITUATION: DEFINITION OF SOCIAL NETWORKS...31
2.1 Characterizing Social Networks...31
2.1.1 Theoretical Basis...31
2.1.2 Origin and evolution...31
2.2 Typology of social networks...37
2.2.1 Generalist and recreational social networks...38
2.2.2 Professional Social Networks...40
2.3 Value chain and business models...43
2.3.1 Value chain of social networks...43
2.3.2 Business models...45
2.4 Risks implied by the use of social networks...57
ANALYSIS OF THE MOST IMPORTANT ASPECTS AND SPECIFIC PROBLEMS OF SOCIAL NETWORKS 3.1 Protection of the right to honor, personal and family privacy and image...62
3.1.1 Definition of the right...62
3.1.2 Applicable Law...65
Possible risks. How could the right to honor, privacy and image be affected in a Social Network? 3.1.4 Vulnerable Groups. Underage and legally incapacitated users...70
3.1.5 Measures to protect the right to honor, privacy and image...73
3.2 Personal Data Protection...75
3.2.1 Definition of the right...75
3.2.2 Applicable law: regulation and its evolution...76
Possible risks on social networks. ¿How does personal data could be affected? 3.2.4 Vulnerable Groups. Underage and legally incapacitated persons...93
3.2.5 Measures taken to protect the personal data of users...95
3.3 Intellectual Property protection in social networks...96
3.3.2 Legal framework: regulations and its evolution...98
Probable risks. ¿How could Intellectual Property Rights be affected in a social network? 3.3.4 Groups specially protected. Underage and legally incapacitated persons...103
3.3.5 104 Measures to protect the rights to intellectual property of users and third parties. 3.4 Protection of Users and Consumers...106
3.4.1 Definition of the right...107
3.4.2 Applicable Regulations: Regulation and its evolution...107
3.4.3 Possible risk. ¿How do these rights could be affected?...110
3.4.4 Specific Cases. Underage and legally incapacitated persons...112
3.4.5 Measures to protect the rights of users and consumers...112
Proposals and recommendations addressed to the agents participating in social networks 4.1 Proposals and recommendations addressed to the Industry...116
Proposals and recommendations addressed to social networks and the collaborative platforms 4.1.2 ...121
Proposals and recommendations addressed to the manufacturers and the providers of computer security 4.1.3 ...123
Proposals and recommendations addressed to the Internet Services Providers (ISP) 4.2 ...124
Proposals and recommendations addressed to the Administrations and Public Institutions 4.2.1 From a normative point of view...124
4.2.2 From an executive and administrative point of view...127
Proposals and recommendations addressed to the users and the associations
4.3.1 Protection of personal data, honor, intimacy and personal image...128
4.3.2 Intellectual property...129
4.3.3 Technology and security...129
4.3.4 Protection of underage users...129
INDEX OF GRAPHS...141
I Situation: definition of a social network
• Online social networks are services that let their users to create a public profile where they can introduce personal data and information. The users have different tools to interact with each other.
• The growth of these platforms is based on a viral process, by which the initial users send an email invitation to their different contacts requesting to join the website. • These new services are strong channels of communication and interaction that
enable the users to act as segmented groups: for entertainment, communication, professional purposes, etc.
• The main objective of a social network is reached when the users use it to convene events and actions that have an impact on the offline world.
• The latest statistics (from the Universal McCann Study of March 2008: “Power to the people social media. Wave 3”) has estimated that the number of users of social networks is 272 million, which represents 58% of the Internet users worldwide. • In Spain1, as underlined in the Universal McCann Study, 44.6% of the Internet users
are using these services to be connected with their friends and close family, or to look for persons they have lost contact with. Applying this percentage to the data registered by the Wave XX from Red.es, which highlighted that “between January and March 2008, around 17.6 million of people have used the Internet the month before”, it is estimated that 7.852 million of regular users -above 15 years old and who had Internet connection during the last month- use social networks.
• In addition, it has been noticed that the percentage of social networks users is higher among underage users and declines with age: 7 out of 10 Internet users are younger than 35 years.
Even if there are different sources of information, they all agreed that in 2008, the number of Spanish Internet users who are regularly using social networks is around 40 to 50%.
One has calculated applying the percentage for Spain, of the data of the Study of Universal McCann to the number of habitual users of Internet obtained from the data of Big wave XX of Red.es.
II Analysis of the most relevant aspects and specific problems of social networks.
The reputation of these online spaces is not free from the risk of potential malicious attacks. The National, European and International authorities had tackled the problem and had agreed to develop standards and recommendations3 to ensure secure access for users with a specific attention to underage users.
This chapter provides an in-depth analysis of the most relevant legal issues that directly affect social networks:
Protection of honor, personal and family privacy and image.
The right to honor is inalienable and represents the right to have a proper image, name and reputation. It means the respect of the person, regardless of the circumstances. The
right to privacy protects the most intimate sphere of the person’s life, and is closely linked to the protection of individual dignity. Finally, the right to image is intended to safeguard the image of a person in the public area.
In Spain, the protection of these rights are contemplated in the The Spanish Ley Orgánica 1/1982 de 5 de mayo, de Protección Civil del detector al Honor, Personal y Familiar, Privacidad y Propia Imagen (the Organic Act 1/1982 on the Protection of Civil Rights to Honor, Personal and Familial Privacy and Image), which goes further than the provision of the Constitution stipulated in the Article 18.1 SC (Spanish Constitution or Spanish Bill of Rights). However, some situations are not expressively regulated and in certain conditions (while using social networks and collaborative websites), this may be a risk for the rights of users.
Among the potential risks to privacy, we can include the following aspects:
The main regulatory initiatives come from the international plane, especially of the European Commission and the Work group of the Article 29, that in the last months has made its intention public to regulate in the smaller possible term all the aspects related to the security and collaborative protection of the users of the social networks, Web sites, blog and other means of interaction of users in Internet.
Thus, the past 15-17 of October of 2008, was celebrated the 30 Conference the International of Authorities of Protection of Data and privacy in Strasbourg. In her one remembered carry out a proposal of normative regulation of this type of platforms that fulfills the following requirements: to be a world-wide norm, legally indispensable to any type of lender, regardless of where one is located; that it equips to the users of a series of protections considered basic at the time of developing his activity in the Network; that he guarantees basic a minimum protection and for the minors, native of this type of services and especially unprotected users before these, as well as that the lenders settle down a series of technological measures directed to the protection of the users. Of this form, the next month of November of year 2009 will be celebrated in Madrid, the 31 Conference the International of Protection of Data, in which a first rough draft of the world-wide regulation in the matter of protection of data will set out, for its later debate and approval at international level.
• While registering: the users might not be able to configure the privacy level of the profile, thus publishing sensitive information while beginning to use the social network.
• While participating in the network, the users might publish sensitive information, data and images that have an impact not only on their privacy, but also on third parties.
o Personal privacy: even if the users are voluntarily publishing their data on the network, the effects on their privacy might be deeper than believed at first sight, because these platforms have powerful tools to exchange, process and analyze the information provided by their users.
o Respect of the privacy of third parties: it is essential for the users to bear in mind that the publication of personal information and data related to third parties cannot be done unless these ones have expressively authorized their publication, and could request an immediate withdrawal.
Finally, it is important to highlight that in most cases, social networks allow search engines to index users´ profiles, along with contact information and profiles of friends, which may represent another risk for privacy.
• While unsubscribing from the platform, the users request to remove their profile, but some data might still remain, either personal information or pictures posted on the profiles of other users.
Furthermore there is in Spain a specific protection for children who are massive users of such online services. They enjoy a higher status of protection insofar as the intervention of their parents or guardians is requiredin many circumstances.
During the past few years, the level of awareness regarding the protection of privacy and personal data has been increasing. A law related to those matters has been published: the Spanish Ley 34/2002, de 11 de julio de Servicicios de la Sociedad de la Información y del Comercio Electrónico (the Act 34/2002, of July the 11th, regulating The Services of the Information Society and the E-Commerce hereinafter referred LSSI-CE). It considers the new social reality implied by the use of TIC in general, and by the Internet in particular, and it provides a normative basis to regulate the Internet and its services, in a complete and effective way.
However, as stated in the survey, the adaptation of the legislation is more and more complex due to the rapid growth of new services associated to the Information Society, such as social networks. Therefore, it is necessary to initiate and develop a new concept
of “Technological Law”, based on R&D, ensuring the protection of the users without hindering the development of such services.
Protection of personal data
The fundamental right to data protection is specifically regulated by the Article 18.4 of the Constitution, unlike the right to privacy, and it gives its holder the legal power to
“control the use that is made of his/her personal dada, including, among others, preventing their personal information from being used for other purposes than the ones for which it was obtained”4.
Given the large amount of personal data that the users publish on their profiles, these ones are turning out to be genuine “digital identities” providing a quick understanding of the users preferences, habits, etc.
The protection of personal data has been widely developed at the European and national level. In Spain, a specific legislation has been implemented through the Spanish Ley
Orgánica 15/1999 de Protección de Datos de Carácter Personal (Organic Law
15/1999 on Data Protection, hereinafter referred to as the LOPD, and through the Royal Decree 1720/2007 of December the 21th, which approves the Regulation on the Implementation of the Organic Law for Data Protection hereinafter referred to as the RLOPD). An extensive effort of interpretation has been realized by the Agencia Española de Protección de Datos (Spanish Data Protection Agency) which had solved cases of violation of data protection rights, derived from the use of the new services offered by the Information Society. These resolutions guarantee the users the best protection of their rights.
However, as underlined during the interviews and the discussion groups, the protection of personal data is particularly difficult when it comes to social networks since they are based on the publication of data by the users themselves. Thus, among the potential risks for the protection of personal data are included:
• Cases of phishing and pharming. Both are pretty much exploited by cyber-criminals to collect the personal or economical data of Internet users (credit cards, PIN, etc.). • Social Spammer and spam. The use of social networks as platforms for sending
• Non-authorized indexing by the Internet search engines.
• Uncontrolled access to profiles. Most social networks publish completely the information in profile of users, or at least a part of it, so any user of the social network can access to personal information without the owner’s express consent. • Identity stealing. It is more and more common for users who had never registered for
online social networks, to realize while doing so that their “digital identity” is already being used.
• Hyper-contextualized Advertising. This gives a priori an advantage to the users since it prevents the display of irrelevant and even offensive contents while navigating. However, from a legal point of view, it could be considered as an illegal practice, because, in order to contextualize the advertising, the data and preferences of the users are being examined.
Regarding the existing measures related to the protection of personal data for particularly vulnerable groups - minors and legally incapacitated- the particular importance of the Royal Decree 1720 / 2007 should be underlined. It stipulates that the providing of personal data for minors under 14 years old requires the consent of their parents or guardians.
In addition, this rule explicitly states that the obtaining of the child’s consent should be simple and easily understandable and that no information concerning his/her friends and relatives could be asked to him/her.
Protection of intellectual property
Regarding the protection of intellectual property in such platforms, it has been underlined that there is an increasing number of protected contents that are being used, shared and disseminated through social networks and collaborative websites without the authorization of their owner.
The protection of intellectual property is the right that the author has on his/her literary, artistic or scientific work.
In Spain, the Act on Intellectual Property grants the authors exclusive rights on their work, meaning that any reproduction, transmission or publication of their work must be done with their authorization. Both the national and European legislation are very strict so that nobody can exploit intellectual property rights without permission from the author. However, when it comes to the violation of the rights on intellectual property, we must distinguish between the situations where it is the users who are actually infringing the law and the ones where social networks do so through their General Conditions.
Social networks, while trying to fight against the unauthorized distribution of contents through their platform, have implemented automatic mechanisms for the users to self-regulate the contents published on the network. They allow the user to “denounce” contents that do not meet the conditions for registration or that violate both the rights the users have over their works, or the ones of third parties.
Protection of consumers and users
It has to be considered that one of the main advantages of such platforms is the ability to obtain economical benefits from advertising and from the applications developed by the users of the network. The easiness with which users can advertise or can receive announcements of products and services is tremendous compared to the physical world. The commercial success of online advertisement is also increased by the facility with which the products and services can be marketed at distance, and by the fact that social networks have a database of users (potential costumers) perfectly segmented by preferences and profiles.
As noted from the interviews and round tables conducted with users and legal experts, the increased collaboration of the users in identifying and controlling the kind of advertising, products and services sold through the network, have helped raising the level of users´ security.
Similarly, it is essential for the proper development of the Information Society and for the sale of products and services through social networks to be successful, that potential customers have full trust in the website. This one must observe and comply with the current legislation, and the needed technological requirements.
III Proposals and recommendations to the parties involved in social networks.
After analyzing the data collected during qualitative research, a series of recommendations have been developed. They are addressed to social networks and collaborative platforms, ISP (Internet service providers), manufacturers and service providers of computer security, public administrations and associations, and users:
• The Industry
Social Networks and Collaborative Platforms: The proposed general recommendations
focus on: a) the compliance of their services with the European and national legislation, b) on the legal implications of some specific activities, c) on the identification of the technological tools required for their services and d) on the awareness regarding the need for increased security measures and the need for the protection of users.
Regarding the specific recommendations:
Security and technological recommendations
1. Transparency and easiness to access the information
o It is essential that these platforms expose all the information on their services in a clear and understandable way, so that the language used in their conditions of use and privacy policies is absolutely understandable for any user.
o It is essential that social networks emphasize within their homepages a specific section dedicated to inform their users.
o It is recommended to create “microsites”5 with direct access from the homepage of social networks in which the information is exposed through “FAQs” and multimedia contents.
2. Ensure user control over the processing of the data and information published on the web by making available the largest number of tools aimed at enforcing their rights in an automatic, simple and quick way.
3. Set, by default, the highest level of security and privacy settings.
4. Ensuring the security of the platform. The proper choice of their Internet service provider (ISP) is vital so that it will ensure the highest level of security: secure servers, backup facilities and secure access, among others.
5. Deletion of information after a reasonable time.
6. Respect of the rights to register and unsubscribe.
Recommendations on training and awareness
1. Internal development of websites aiming at making available the maximum level of information possible regarding the treatment of personal data and the implications that may arise from the publication of contents on social networks.
2. Make available to users information on the security measures that have been implemented on the platform and the possible actions they may take in case of violation of their rights.
3. Given that the vast majority of generalist social networks users are underage, it is crucial that social networks and collaborative platforms, together with public authorities, associations and organizations whose purpose is the protection of such groups, lead out joint initiatives to promote the formation of underage users and their guardians about the security of users, investigating the technological opportunities that exist to achieve the identification of users´ age
4. Volunteer programs within the company to collaborate with schools and training centers in order to spread the importance of security and to report the main recommendations to be considered in the use of such services.
Addressed to manufacturers and providers of computer security
Manufacturers and suppliers of security must take into account two key aspects to achieve the highest level of security: a) the prevention of online fraud, and b) research and development of secure technological tools. In this way, it is recommended to promote in the sector the following aspects:
1. That the marketed applications implemented in social networks have been developed, revised and evaluated in accordance with the quality, security and privacy standards that guarantee their use is respectful and secured towards the users´ rights. Their proper functioning should also be reviewed.
2. The companies dedicated to security should encourage the interoperability of their security systems, promoting the implementation of standard protocols and systems in social networks that will guarantee the compliance of pre-established codes of conduct.
3. In this respect, it is recommended to collaborate directly with the Security Forces of the Statein the investigation of new situations of risks for the users, in order
to develop applications able to detect, act and counteract any unfavorable situations for the users of the platform.
4. It is recommended to the manufacturers and the providers of computer security to be proactive when detecting malicious programming codes (“malware”) that allow security holes in the platform, as well as when elaborating Black Lists, in which will be included the domain names that are presenting unauthorized contents, or that don’t abide by the security criteria previously mentioned.
5. It is recommended for the manufacturers to develop security patches and updates to guarantee that the persons in charge of the platform as well as the users are using entirely updated and secure applications.
6. In this respect, it is recommended for these manufacturers to develop applications that comply with international standards.
7. It is recommended to develop remote applications that allow parents to have complete control over the contents and the operations realized by underage users on the Internet.
8. To include in the technical descriptions of the software processing personal data, the technical description of the basic, medium and high security level
mentioned by the LOPD (Legislation on the personal data protection).
9. It is also recommended for the manufacturers of security software together with the relevant public administration to encourage the development of tools dedicated to reduce the reception of spam through social networks and similar platforms.
Addressed to providers of Internet access services (ISP)
The proposed recommendations for this Group include:
1. Create a platform for secure and reliable communication with the Security Forces of the State and Judicial authorities.
2. The full support and assistance to the Security Forces of the State.
3. Provide information to users and costumers about the security measures that maintain the connection service.
Addressed to administrations and public institutions.
Normative point of view:
Regarding the protection of personal data, among the proposals, are included the following aspects:
• Global Legal Security: that promotes at the international, or at least at the community level, basic regulatory principles.
• It has to be implemented and strengthened penalties for those platforms or users who illegally obtain information.
• It is recommended for the public authorities to work for a uniform international law on personal data protection, honor, privacy and image.
• Encourage, or oblige, this kind of platforms to make public or al least to emphasize that the contents published on their network will become their property, before users publish any content on this one.
• It is recommended for competent authorities to promote direct agreements between the audiovisual and music industries, and the main content delivery platforms.
• It is recommended for the service providers of the Information Society to implement automated, free, simple and effective tools for the owners of works protected by intellectual property rights to denounce unauthorized contents.
• To ensure fair compensation for copyright holders.
Costumers and Users:
• It is recommended that the legislation clearly states which authority is competent to deal with complaints from consumers and users.
• Promote effective and efficient mechanisms regarding the possibility of blocking access to online platform.
Executive and administrative point of view:
• Specific training in technological law for judges, magistrates, prosecutors and court clerks.
• It is necessary to equip the technological squads of Security Forces, belonging to the State, the autonomous communities or the International community, with technological tools that will allow them to investigate, to maintain the chain of custody for electronic evidence and to block situations that will be susceptible to cause a damage to the users of social networks and collaborative platforms.
• Development and articulation of fast and free judicial proceedings so that users will be better protected.
Formative and Informative point of view:
• Conduct awareness campaigns on the risks represented by the spreading of personal data in social networks.
• Conduct training workshops and outreach programs related to security. • Create classes on data protection and security on the web.
• Conduct awareness-raising and promotion campaigns on the security on the Internet through the media 2.0.
Addressed to users and associations
After specified is a series of recommendations addressed to the users of social networks and collaborative platforms, which have the objective to inform them upon the benefits these kinds of services might bring but also the damageable -but easily avoidable- situations they might be confronted to while using them.
1. It is recommended for all users to use pseudonyms or nicknames, enabling them to have a genuine “digital identity”.
2. It is recommended for the users to be especially careful when publishing audiovisual contents and graphics on their profiles since they may put at risk their privacy and the privacy of those around them.
4. It is recommended to configure adequately the degree of the profile privacy in the social network, so it is not completely public but only available to those that have been cataloged as “friends” or “direct contacts” previously by the user.
6. It is recommended not to publish in the user profile contact information, allowing anyone to know where the user lives, works or studies and the daily or leisure places that the user usually attends.
7. For the users of microblogging tools6 it is recommended to take special care regarding the publication of information on places that are at all times.
8. It is recommended to use and disclose only the contents the user has rights upon. 9. Users are encouraged to use different usernames and passwords while entering
social networks they are a member of.
10. It is recommended using passwords with a minimum length of 8 characters, alphanumeric, with and without capital letters.
11. It is recommended that all users have on their computers antivirus software properly updated.
12. Underage users should not reveal personal information. It should never be provided data to strangers.
13. All information concerning the website should be read. It has to be explained who are the owners and the purpose for which the data are required.
14. If the user is under fourteen, is also required the consent of the parents or guardians. In these cases, their consent will be request while subscribing/accepting friends, etc.
15. The users should not communicate to others their usernames and password, or share them with friends or classmates. These data are private and should not be communicated to third parties and / or unknown persons.
16. Whenever there are any questions regarding any situation arising from the use of social networks and collaborative tools, it has to be asked to the parents or guardians.
17. The computer must be kept in a common area of the house. 18. There should be some rules on the use of Internet at home.
This type of platforms is based on the constant update of the user profiles. More information where be abaible at Chapter 3 of this document.
19. Parents should explain the benefits and the risks of such platforms to their children.
20. Activate the parental control.
21. Ensure that age verification controls are implemented.
22. Ensure the correct implementation of the unapropiated content blocker. 23. Teach children about security issues.
24. Explain to children that they must never meet anyone they have met online and if they do so their parents or guardians must always accompany them.
25. Ensure that the children know the risks and implications of hosting content as videos and photographs, as well as the use of webcams through social networks. 26. Check the user profile of the children.
27. Ensure that the children only access to the pages recommended for their age. 28. Ensure that the children do not use their full name.
INTRODUCTION AND OBJECTIVES
1.1.1 Spanish National Institute of Communication Technologies (INTECO)
The Spanish Instituto Nacional de Tecnologías de la Comunicación (INTECO): The Spanish National Institute of Communication Technologies, sponsored by the Ministry o Industry, Tourism and Trade, is a platform for the development of the Information Society through innovative and technological projects: firstly, to contribute to the convergence of Spain with the European Information Society, and secondly, to promote regional development.
The mission of INTECO is to promote and develop innovative projects related to the field of Communication and Information Technologies (TIC) and the Information Society, in order to improve the position of Spain in Europe and to provide the country new competitive advantages, by extending its abilities in both the European and the Latin American environment. Thus, the Institute intends to be a development center of strong public interest aiming at developing the use of new technologies in Spain.
The social objective of INTECO is the management, counseling, advocacy and spreading of technological projects related to the Information Society. To do this, INTECO develops actions that follow the strategic lines of a) the Technological Security, b) the Accessibility and c) the Software Quality.
El Observatorio de la Seguridad de la Información: The Information Security Observatory is inserted into the strategic line of actions of INTECO for Technological Security.
The Observatory aims at describing in detail the level of security and trust regarding the Information Society. It seeks to generate expertise in the area. Thus, it is at the service of the citizens, the companies and the Spanish administration to describe, analyze, and spread the culture of Information Security and e-Trust.
The Observatory has designed an Activities and Researches Plan in order to produce useful knowledge and expertise related to security on the Internet and to develop recommendations and proposals to define trends that will be valid for future decisions of public authorities.
Within this action plan are carried out researches, analysis, studies, counseling and outreach to address, inter alia, the following aspects:
• Development of internal studies and studies on the Security of TIC, with special emphasis on the Internet Security.
• Monitoring of key indicators and of public policies related to the security of information at the national and international level.
• Creation of a database to enable the analysis and evaluation of the security and trust with a time perspective.
• Promotion of researches on secure technologies.
• Spreading of studies and reports published by other entities and national and international organizations, as well as of information on current national and European policy on security and trust regarding the Information Society.
• Advising the government on the security of information as well as supporting the development, monitoring and evaluation of public policies in this field.
More information: http://www.inteco.es
More information: http://observatorio.inteco.es
1.1.2 Spanish Data Protection Agency
The Spanish Data Protection Agency is an entity that operates independently from the government and that aims at enforcing and implementing the provisions contained in the Spanish Ley Orgánica 15/1999 de Protección de Datos (Organic Act 15/1999 on Personal Data Protection, hereinafter refered to as the LOPD) and its implementing rules. Its functions are to ensure the compliance with the data protection legislation and to monitor its implementation, particularly regarding the rights to information, access, rectification, opposition and cancellation of data.
Among its functions may be underlined the following points:
An obligation to answer requests and complaints that may be made by those affected by this issue.
The power to sanction violations that may be committed in this field.
Statistical data collection.
Informing on the standards impacting the protection of data.
More information: http://www.agpd.es
1.2 Contextualizing the study
Nowadays Internet is an arena of social relationships based on the increasing involvement of its users in:
• The editing, validation and publication of contents in various formats: text, audio, video.
• The specialization of the published contents. The websites are segmented in a variety of communities ranging from pure entertainment to professional life. Users are also segmented by groups of age: teenagers, adults, etc.
The technological and social changes have contributed to the establishment and the growth of this new popular form of creation based on the collaboration and the access to information.
The current trend on the Internet is now to focus on the user- through forums, blogs, wikis and social networks- in other words, all those utilities and services that are based on a database that the users may change while processing the contents (adding, changing or deleting information).
Unfortunately, these social spaces are not free from danger or possible malicious attacks: • The user provides a series of personal data to register for these sites that are
protected by the Spanish law. Moreover, the very nature of these sites means that their users will include extensive information about their preferences and needs, which also has to be protected, especially in the case of underage users and persons without legal capacity to act.
The fact that social networks are based on the principle of making publicly available the maximum amount of information, causes, both directly and indirectly, the emergence of innumerable legal problems only partly covered by the Spanish legislation.
• Some of the most representative sites have been targeted by online fraud. There have been situations where a person steals the identity of a legitimate company or a trusted friend, in order to obtain personal information, PIN or credit card numbers.
• It is common for users to use the same password for the different virtual communities they belong to, which means that a violation of one of them can affect
all the data they have provided in their communities. The situation is exacerbated when users use the same password to manage their financial activity.
In this context, the users´ security (especially underage and legally incapacitated users) and the security of information, as well as the protection of privacy and personal data will constitute the most relevant part of the analysis.
Indeed, it becomes necessary to conduct a study that will examine, investigate, and develop on:
a) The security,
b) The legal and social aspects and c) The technological characteristics
of the social networks that operate in Spain, with a specific attention to their effects and their use by underage people.
This study will also revealed the different opinions shared by the sector in order to guide future private or public initiatives aiming at reaching a good balance between the potential of these new tools, their limits and the rights of their users.
1.3 Objectives of the Study.
The overall objective of the study is to develop an analysis on the security of social networks and collaborative platforms, with a specific attention to underage and legally incapacitated users, through an assessment and a diagnosis of a) their legal, technological and sociological aspects, b) the security of their contents, c) the agents participating in them, d) the privacy and the data protection of the users who are related to each other through these websites.
This overall objective will be divided into specific sections:
• Legal analysis of social networks to determine the legal responsibilities and obligations of these service providers in Spain.
• Comparative study on the laws affecting these platforms for the European Union and for the U.S. with a particular attention to the penetration of social networks in these countries as well as to the legislative initiatives and projects related to them.
• Analysis of the different actors involved in the collaborative webs (ISP, advertising agencies, content agencies, etc.) regarding their legitimacy and their responsibility in the functioning of these platforms.
• Technological and sociological analysis of social networks, which will describe the functioning of these new forms of social interaction: flow of information and tools to share contents and communicate with other users.
• Analysis of the privacy and data protection of the users and the people who maintain relationships through social networks.
• Analysis of the security: assessment of the specific risks that might arise from the use of these websites especially for underage and legally incapacitated users.
• Analysis of the specific case of underage and legally incapacitated persons regarding the protection of their personal rights and the protection of their honor, privacy and image.
• Delimitation of the potential threats and risks while using this kind of collaborative networks. Measures to reach the proper balance between the possibilities of these tools, their legitimacy and the protection of the privacy and the data of the users. With the achievement of these objectives, we want to provide information and recommendations for action regarding the legal, technological and security aspects of this kind of platforms.
The methodology used for this survey has been designed with the following objective: providing updated information on the situation and the vision of the users, the industry and the public sector, as well as providing the most rigorous analysis on the legal and technological aspects affecting social networks and collaborative websites.
The study and the analysis was developed in different phases:
1.4.1 Phase I. Data Collection and Fieldwork
The objective of this phase was to obtain as much information as possible regarding the phenomenon of social networking. The following tasks have been realized:
1. Documentary search for resources related to social networks
a) Official documentation published by the European Union and International institutions7.
Among others: Grupo de Trabajo del Artículo 29; European Network and Information Security Agency, Foro de Cooperación Económica Asia Pacífico (APEC), etc.
b) Studies released by private entities. c) Statistical analyses of social networks. d) Articles and news.
2. Identification of the main actors involved in the phenomenon of social networks in Spain. Their level of compliance with the national legislation and their specific aspects will be considered later in the studies.
3. Conducting a Survey of 2.860 Internet users (over 15 years old) on the use of social networks between April and June 20088.The characteristics of the fieldwork for this survey are described bellow:
• Population of concern: Spanish users with frequent access to the Internet from home (at least once a month) and older than 15 years old.
• Sampling method and distribution: We have extracted a representative sample of 2.860 Internet users, according to the following model:
o Stratification by Autonomous Communities to ensure their proper representation.
o Sampling by quotas (household, age, sex, activity and resources9).
Quantitative results obtained from the sample are based on opinions and perceptions of the surveyed users. 9
Provided by Red.es, a public company belonging to the Ministry of Industry, Commerce and Tourism. (“TIC in Spanish homes: 11th Wave-October 2006”).
Table 1: Sampling by Autonomous Communities (%)
Autonomous Communities Obtained Sample Theoretical Sample
Andalusia 15.2 15.2 Aragon 3.5 3.0 Asturias 3.6 2.5 Balearic Islands 1.9 2.7 Canaries 4.3 4.7 Cantabria 1.4 1.3 Castille-La Mancha 3.0 2.9
Castille and Leon 6.2 5.4
Catalonia 17.0 18.5 Basque Country 5.1 4.7 Extremadura 1.6 1.4 Galicia 6.4 4.5 Madrid 16.8 18.6 Murcia 2.2 2.5 Navarre 1.0 1.4 La Rioja 0.4 0.7 Valencian Community 10.2 10.0 Source: INTECO
Table 2: Sampling by Socio-demographic Categories (%) Concept Obtained Sample Theoretical Sample Activity Workers 83.9 71.7 Unemployed 7.8 4.6 Students 3.2 16.1 Retired 2.7 3.0 Others/Inactive 2.4 4.6 Household 1 8.2 3.2 2 22.6 15.4 3 24.3 28.7 4 and more 45.0 52.7 Sex Man 51.0 53.7 Woman 49.0 46.3 Resources More than 20.000 28.1 24.8 From 20.001 to 100.000 24.8 24.1 More than 100.000 47.2 51.1 Age Up to 24 21.6 23.4 25-35 37.1 28.2 35-49 32.4 31.8 50 y more 8.8 16.6
Sampling base =2.860 Source: INTECO
• Capture of information: Online interviews from a panel of Internet users with a total of 2860 respondents.
• Fieldwork: Carried out between April and June 2008.
• Sampling error: According to the criteria of simple random sampling for dichotomous variables in which p=q=0.5 and with a confidence level of 95.5%, the following calculation of sampling error is:
Total sample n= 2.860, sampling error ±1.87%. 4. Conducting in-depth 35 interviews:
b) Social Networks users.
c) Professionals in the field of Technological Law and Information Security. d) Public institutions and non-profit organizations.
5. Creation of 3 discussion groups:
a) A “Legal and Information Security” Group. b) A Group of social network users.
c) A Group of underage users of social Networks.
1.4.2 Phase II. Information Analysis.
Following the completion of the fieldwork and the collection of the information available on the phenomenon, social networks have been analyzed from the following points of view:
• Protection of the rights to honor, image, intimacy and privacy. • Protection of Personal Data.
• Protection of consumers and users. • Protection of intellectual property.
• Protection of underage and legally incapacitated users. • Protection of workers.
Aspects related to the information security. • Security systems configured by the websites.
• Systems for the internal protection of users and contents. Systems of complaints. • Systems for anticipated settlement.
• Systems for the protection of underage and legally incapacitated users.
Aspects related to the business models and the means of exploitation • Creation of social networks.
• E-commerce through social networks. • Value chain.
• New business lines and problems related to their security.
Aspects related to the social perception of social networks • Social networks as a new form of social contacts.
• Social networks and trend creation.
• Sociological dangers generated by social networks.
The analysis of social networks is based on all those aspects. These platforms can be considered as a new social reality by which the users could develop themselves as individuals.
The analysis also focused on the industry. It highlights its key challenges and vulnerabilities.
1.4.3 Phase III. Recommendations and conclusions
After analyzing and classifying the collected information, and after clarifying the results of the interviews, we detected a certain number of patterns related to the opinions of social network users and the purposes of these platforms.
The recommendations focus on the best ways to improve social networks, and also on the correct use of these ones by their users. Thus, the recommendations are addressed to:
• The industry: recommendations to handle the main problems detected while realizing the studies and conducting the interviews and discussion groups.
• Public administrations: recommendations to the various organs of the
administration in order for them to have the necessary knowledge to better protect the interests of social networks users.
• Users and associations: recommendations for them to have valid information on how to operate while using social networks.
The conclusions of the document aim at dealing with the largest number of situations that might be encountered in the field of social networks.
1.5 Content Structure
This study is divided into the following parts:
Situation and definition of social networks
Offers a clear and simple overview on the current situation of the sector (the existing social networks and the key business models) in order to better understand the problematic rose by these platforms and their position on the market.
Analysis of the most relevant aspects and the specific problems of social networks.
This section evokes the main rights protecting the users of social network especially those of the third Group (underage and legally incapacitated users) and the workers.
The analysis focuses on the legislation, the applicable protective measures and the attitudes of social networks regarding these aspects. It has been divided into four fields:
• The right to honor, privacy and image: the actions of both users and networks are taken into account. The analysis goes beyond the sphere of data protection, e.g. transfers of images for commercial purposes.
• Protection of personal data: we studied the activities of different social networks, taking into account inter alia: the kind of users, the collected data and the way to process them.
• Intellectual and industrial property: from the perspective of intellectual property, the transfers of rights via collaborative platforms and their applications have been studied. From the perspective of industrial property, the uses of trade names and trademarks by the platforms and their users have been examined.
• Consumers and users: The various defensive measures available to the users of social networks have been discussed.
Recommendations and conclusions
The recommendations focus on the best ways to improve social networks, and also on the correct use of these ones by their users. These recommendations are addressed to the industry, the government, the users and their representative associations.
The conclusions have been specifically drafted to apply to the largest number of situations related to social networks and collaborative websites.
SITUATION: DEFINITION OF SOCIAL NETWORKSThis chapter provides an overview on the current situation of various social networks, the kind of networks available for the public and the main business models used in this sector in order to understand the situation and the problems related to this kind of platforms and their current position on the market.
2.1 Characterizing Social Networks. 2.1.1 Theoretical Basis
Social Networks refer to online platforms from which registered users can interact, share information, images or videos, allowing these publications to be immediately accessible by all the users of their group.
The analysis of social networks has been appearing in many social studies during the past twenty years: they are considered as a new tool for analyzing individuals and their social interactions. Since they focus on the personal and collective relationships and not on the characteristics of the individuals (race, age, income, education) they have been used to study the habits, tastes and ways of interacting among social groups.
Any social networks is based on the theory of six degrees of separation10, according to which any individual can be connected to any other person on the planet through a chain of acquaintances with no more than five intermediaries (with a total of six connections) The number of acquaintances increases as do the links in the chain. Individuals in the first degree are the closest friends and familys. As the degrees of separation increase, the relation and the trust decrease.
The Internet and the development of powerful software applications enabling the creation of platforms dedicated to the exchange of information and the interaction between individuals have meant a real revolution favorable to the emergence of the concept of social network, as it is known today. The universality of the web enables to quickly expand the number of contacts and to build closer ties between users who have common interests.
2.1.2 Origin and evolution
The first social network was created in 1995, when Randy Conrad conceived the website “classmates.com”. This social network was intended for the users to retrieve or keep in touch with former colleagues from school, institute, university, etc.
Theory developped in 1929 by the Hungarian writer Frigyes Karinthy. Also mentionned in the book “Six Degrees: The Science of Connected Age” of the sociologist Duncan Watts, who says that anyone is accesible on the planet in only six jumps.
In 2002 websites that promote networking among circles of online friends began to appear, gaining popularity in 2003 with the creation of websites like MySpace or Xing. The popularity of these platforms has grown exponentially. Large multinational companies then developed new projects taking advantage of the success of social networks: for example, Orkut by Google or Yahoo! 360º by Yahoo!. Then focused social networks had begun to appear11.
Table 3: Social Networks
2002 Friendster Fotolog
2003 MySpace LinkedIn Hi5 SecondLife
2005 Yahoo!360º Bebo
2006 Facebook Twitter Tuenti
Source: INTECO based onPanda Security
The increased popularity of social networking was parallel to the increasing number of websites dedicated to the exchange of contents. This converted the Internet as a new mean for social interactions, entertainment and sharing contents. At the earliest stage, users where considered as mere consumers of contents created by others. Now they can create their own contents with a computer, a connection to the Internet and basic knowledge in Internet use.
The expansion of this phenomenon had been measured lately by the Universal McCann Study (3rd Wave Study of the Power to the people social media. March 2008), which estimated the number of social networks users to be 272 million. It represents 58% of the registered Internet users worldwide, and an increase of 21% compared to the data recorded in June 2007.
In Spain12, as underlined in the Universal McCann Study, 44.6% of the Internet users are using these services (Graph 1) to be connected with their friends and close family, or to
In Spain, some social networks (Minube.com, Patatabrava.com, Moterus.com, VIVO.com) are dedicated to specific sectors such as travelling, motorcycles and entertainment.
Even if the sources of information are diverse, they all agreed that, for 2008, the number of Internet Spanish users who are regularly using social networks is around 40 to 50%. It was, for example, 50% according to Zed Digital (The Phenomenon of social networks. Perception, uses and advertisment. November 2008) or 45% according to The Cocktail Analysis (Observatory for the assessment of social networks. Online communication tools: Social networks. November 2008).
look for persons they lost contact with. Applying this percentage to the data registered by the Wave XX from Red.es, which highlighted that “between January and March 2008, around 17.6 million of people have used the Internet the month before”, it is estimated that 7.85 million regular users -above 15 years old and that had Internet connection during the last month- are using social networks13.
Graph 1: Percentage of Social Network Users in Spain. March 2008.
Use Don't use
Source: INTECO based onUniversal McCann
These new services are configured as powerful channels of communication and interaction, allowing the users to act as segmented groups (for entertainment, communication, professional life, etc...) The network is consolidated, therefore, as a space to build relationships, communities and other social systems in which participation is motivated by reputation.
The concept of social network has been widely discussed by professionals from different sectors, and there is currently no absolute and widely accepted definition.
In this sense it is possible to indicate that in 2008, a study realised by the company of market studies comScore revealed that 8.828.000 Spaniards belonged to some of these networks. Más información en: http://advertising.microsoft.com/espana/estudio-comscore-para-las-redes-sociales
Before examining the concept of social network, it is necessary to differentiate traditional social networks from online social networks14.
A social network primarily designates a form of interaction between people and / or communities of people. Here are some definitions of social networks:
”Forms of social interaction, which are defined primarily by the dynamic exchange between their subjects. Networks are open systems of individuals who can be identified by the similitude of their needs and problems. Networks, therefore, stand as a form of social organization that allows a group of people to enhance their resources and that contributes to solve their problems”15.
“Networks are forms of social interaction, defined as a dynamic exchange between individuals, groups or institutions, involving similar individuals identified by their needs and issues and that are organized to leverage their resources”16.
“On the overall, the concept of network is used to refer to two phenomena: networks are on one hand considered to be a set of interactions that occur spontaneously, and on the other, and this is the most interesting aspect, networks aim to organize these spontaneous interactions with a certain degree of formality, for the establishment of common interests, problems, questions, and goals”17.
Given the importance of this phenomenon, the International Group on Data Protection in Telecommunications in Berlin agreed on the “Rome Memorandum18at its meeting of March 2008. “One of the challenges that can be observed is that most of the information published on social networks, is done under the initiative of users and based on their consent”. The Memorandum also analyzes the risk for privacy and security represented by social networks, and underlines that these ones do not provide “free services” since their users are paying through secondary uses of their profiles such as targeted marketing.
Although the concept of social network is used interchangeably to designate online social networks and traditional ones, this is an error that may cause a distortion of the subsequent analisis.
We can say that social networks are online “services involving the creation of online communities of people who share interests, activities, and who learn from others”
From "Network. An approach to the concept. " Marta Rizo García, Autonomous University of Mexico City. 16
From the "Castilla y León 2.0. Towards the Information Collaboration. " 2008 edition 17
From the article "Networks. An approach to the concept” "by Marta Rizo García, Ph.D. in Communication from the Universidad Autonoma de Barcelona and professor-researcher of the Academy of Communication and Culture and of the Studies Center on the City the Universidad Autonoma de Mexico. Member of the Training Network on Communication Theory and Comunicología (REDECOM, Mexico) and the Network for Studies in Cyberculture and TIC (RECIBER, Mexico).
The European Network and Information Security Agency (ENISA) published in October 2007 some "Recommendations for the security of online”19 social networks", addressed to th providers of social networks and to the organs that legislate in this field, that recommended to invest in the education of social network users and to promote a greater control while accessing the services.
We can conclude from the above considerations that: "Social networks are online services provided through the Internet that allow their users to generate a profile where they can publish data and personal information; that provides tools to interact with other users; and that allows to locate them according to the characteristics published in their profiles”
2.1.4 Keys to success
The following aspects led to the success of this online phenomenon:
The growth of these platforms is primarily based on the technique known as “word of mouth” or viral20 process in which an initial number of participants invites their friends to join the website via mail. New members repeat the process, rapidly increasing the total amount of member. The
When talking about viral process regarding social networks, it refers to the ability of such networks to reach a maximum growth of users in the shortest time possible. This is a concept that is directly related to marketing
Graph 2 illustrates this idea. In Spain, more than one-third of social network users (37.0%) has more than 50 contacts, 19.4% has from 51 to 100 contacts and 17.6% has more than 100. Only one-fifth (21.5%) has less than 10 contacts, which gives an idea of the level of dispersion and the rate of penetration of these services.
Graph 2: Number of contacts by social network users in Spain. October 2008 21.5% 41.5% 19.4% 17.6% Menos de 10 De 10 a 50 De 51 a 100 Más de 100
Source: INTECO based onZed Digital
Social networks offer various applications and features, including: automatic address book from email accounts, public profiles visible to all visitors, etc. These applications are based on three variables known as the "3Cs":
o Communication (sharing of knowledge).
o Community (finding and integrating communities).
o Cooperation (doing activities together).
Social networks focus on getting their members to use online media to convene events and actions that will have an impact on the offline world. Good examples of this are the "Shopping Social Networks," through which users can share their views, tastes and experiences about certain products and services and can arrange to shop in large groups in order to get discounts. This kind of network also allows users to receive recommendations for activities in their daily lives (recommendations for leisure, dining, etc.) according to the user preferences.
2.2 Typology of social networks
Social networks can be categorized according to their targeted public, or the kind of contents they publish. There are, at least, two main social network groups: generalist and professional.
Although each one has a certain number of specific aspects, both share common structural features:
• Their primary purpose is to allow people to make contacts and to interrelate. The platform makes it easy and quick to keep in touch with other users.
• They allow interaction between all users of the platform, either by sharing information, allowing direct contact or by facilitating new contacts of interest. • Allow and encourage the ability for users to initially contact other ones through the
online media, and eventually meet in the real world.
• Allow unlimited contact between users, so that the concept of space and time becomes relative. Users are able to communicate with each other from anywhere at any time, provided that both parties agree to interact.
• Promote the expansion of viral social networks, using this method as the principal way to increase the number of users.
The following pages define each one of the previous groups according to their targeted audience and the kind of contents they host.
2.2.1 Generalist and recreational social networks.
Such networks are characterized by their main objective that is the provision and the reinforcement of personal relationships between their users. The growth of these networks has been tremendous during the recent years. Some platforms such as Facebook have a daily entry of more than 120 million active users who are also creating their own contents21.
According to some data22 such networks replaced other media such as instant messaging that has been widely used during the recent years. This is largely due to the aspects that characterize generalist social networks:
• They offer a variety of applications and / or functionality that enables the users to spare themselves the trouble of using external communication tools by providing them a platform that integrates all the necessary applications on a single screen.
• They offer and encourage people not to focus solely on how to operate online, but also
Data published in The Facebook Blog and in cnet news. 22
According to the latest study by the Pew Internet & Ameican Life Project called “Social Networking Websites and Teens: An Overview” by Amanda Lenhart & Mary Madden,55% of underage users who are connected to the Internet has created and frequently updated their user profile on at least one social network.
to organize their daily lives through the platform23.
• They provide users the code used to program24 the platform, so they can develop their own applications, which are implemented within the social network, thereby increasing the usefulness of the platform and thus its diffusion.
A sub-classification of generalist social networks can be made, depending on their purpose or theme:
Platform to exchange content and information
Services such as Youtube, Dalealplay.com, Google Video, etc., are characterized by the providing of free and simple tools to exchange and publish digital contents (videos, photos, text, etc.)
Strictly speaking, they cannot be considered as genuine social network, as they only allow the publication of contents that other users can view, limiting the interaction between users to the inclusion of comments related to the contents and to their ratings.
However, although these platforms were originally independent from social networks, these ones currently allow to link contents and to advertise directly from the user profile25.
Social Networks based on User’s Profiles.
Networks such as Facebook, Tuenti, Wamba, Orkut, etc., are the most representative social networks used on the Internet26.
The possibility for third parties to develop applications on these platforms and the easiness with which their users can interact with each other is making the use of traditional communication tools less useful.
Such networks are often divided by topics, creating large communities of users with high levels of expertise on specific issues. They are becoming great sources of information and knowledge27.
A clear example of this is the social network www.salir.com where spanish users recommend places to visit in a given town or organize events.
A clear example of this practice is the OpenSocial platform, owned by Google, whose potential is really high. For more information please go to the following address http://code.google.com/apis/opensocial. 25
It should be noted that the vast majority of content exchange platforms like Youtube, or DevianArt Fotolog, are made available to users shortcut icons to the main social networks.
So determined by the study recently published by the newspaper Le Monde,“Réseaux sociaux: des audiences différentes selon les continents”. This report is clearly seen as the most visited social networks in every continent are the profile-based social networks such as MySpace, Facebook, Tuenti, Friendster, Netlog, Bebo.