Yesterday, I submitted Losing Face: An Environmental Analysis of Privacy on Facebook to a variety of science and technology law reviews. Its abstract is as follows:
This Article contributes to the ongoing conversation about privacy on social network sites. Adopting Facebook as its primary example, it reviews behavioral data and case studies of privacy problems in an attempt to understand user experiences. The Article fills a crucial gap in the literature by conducting the first extensive analysis of the informational and decisional environment of Facebook. Privacy and the environment are inextricably linked: the practice of the former depends upon the dynamics and heuristics of the latter.
The Article argues that there is an environmental element to the Facebook privacy problem. Data flow differently on Facebook than in the physical world, and the architectural heuristics of privacy are absent or misleading. This counterintuitive informational environment waylays privacy practices, opens a gulf between expectation and outcome, causes a crisis in self-presentation, and facilitates what Professor Helen Nissenbaum calls a loss of contextual integrity.
The Article explores possible interventions. It explains how regulatory solutions and market forces are themselves hindered by the the deficient privacy environment of Facebook and can’t solve all of its problems. This Article recommends renovating the design of Facebook to privilege privacy practices and proposes specific interventions drawn from the computer science and behavioral economics literature. It concludes with a message of cautious optimism for the emerging coalition of engineers, academics, and practitioners who care about privacy on networked publics.
The Article is a heavily revised adaptation of the thesis I conducted for Ethan Katsh and Alan Gaitenby at the University of Massachusetts, Amherst. If you’ve read my thesis (entitled “Saving Face”; title changed to avoid confusion with James Grimmelmann’s excellent Saving Facebook, recently published in the Iowa Law Review), then you’re familiar with the broad contours of the idea.
Losing Face, however, has been both greatly refined in its argumentation and noticeably reworked in its format (bah Bluebook) over the last year or so. I received invaluable feedback and assistance over the last from many people during this drafting process, including Helen Nissenbaum, researchers and interns at the Berkman Center for Internet and Society, but most indispensably James Grimmelmann, who helped me navigate the convoluted and mystified norms and logistics of the publication process.
I’ve posted a copy of the Article here and on BePress for further comment while it wends its merry way through the editorial process. This is a draft only, and should not be used for citation. I’ve endeavored to make all references as clear as possible, though some are not as clear as they will be in the final version because I haven’t nailed down all the infras and supras yet. If you have any questions, comments, or concerns about Losing Face, please feel free to drop a comment here or shoot me an email.
So I’m rewriting my senior thesis to explore possible publication options in different law reviews. If anyone out there read the original thing and has any feedback I’d be much obliged if you shared it with me.
My revisions are mostly streamlining and refining the argument. I’ve also got to come up with a new name as Grimmelmann’s Facebook and the Social Dynamics of Privacy has been retitled “Saving Facebook” for forthcoming publication in the Iowa Law Review.
Below is excerpted a draft of my new introduction. (continue reading…)
Suppose you go to the movies. You buy a gallon bag of popcorn for $5. Your twin also pays $5, but she receives her popcorn in four sealed quart bags. You are both equally hungry, have equivalent stomachs, and have the same love for salty treats during showings of Up. Will you both eat the same amount of popcorn?
Probably not. At least, that’s the answer suggested by the behavioral economist Dilip Soman. I subscribe to the podcast Arming the Donkeys by Dan Ariely. On last week’s show, Dan interviewed Dilip about “The Effect of Bracketing on Spending“, cowritten with Amar Cheema.
The basic finding of Soman and Cheema is this: portions affect consumption. Nothing new to dietitians, perhaps, but definitely new to economists. Soman explains that, ceteris paribus, your twin will eat less than you, because putting the same amount of popcorn into different bags creates “brackets” that contextualize consumption. There’s nothing to stop you from eating all of the giant tub of popcorn, but the tiny barrier of opening the bag makes you think about how much you are eating and gives you the chance to reevaluate your total consumption.
Soman and Cheema found the same effect held true with gambling. Roughly speaking, give a gambler an envelope with $X, or give them 10 envelopes each containing a tenth of $X, and they will gamble differently. According to Cheema, partitioning this way can reduce spending by 50%.
Now, what on earth does this have to do with my bank?
Germany’s major carrier Lufthansa became the target of a Distributed Denial of Service (DDoS) attack…The attack was initiated by Andreas-Thomas Vogel, an activist and website administrator for the Libertad, an advocacy group criticizing as “inhumane” Lufthansa’s policy of letting the police use its planes for the forced deportation of asylum seekers. On June 20, 2001, Vogel called for Internet users to participate in what he claimed to be an “online demonstration.” He released software that systematically contacted the website of Lufthansa and flooded the company’s web server with messages, forcing it to shut down. According to Lufthansa lawyers and Human Rights organizations, Lufthansa registered about 1.2 million hits that day, which originated from some 13,000 computers.
I’m currently doing some work on cyberaggression for Urs Gasser at the Berkman Center. The Vogel case – quoted above – would seem to be a textbook example of malicious online aggression: a number of users, acting in concert, overwhelm the web servers of a foe until the site shuts down. As far as I can tell, it is a textbook distributed denial of service attack, with the one rather noteworthy exception that instead of hiring out a botnet for an hour or so Vogel actually got real people to run the software.
So here is the question: should we treat Vogel like a ruthless criminal or like a virtuous activist? Or, in other words, was the Lufthansa DDoS more like blackmail (Vogel was charged with coercion) or more like a sit-in?