Popular opinion suggests that between sexting, posting pictures of drunken revelry on Facebook, and making inappropriate tweets, today’s youth culture does not value privacy. In conjunction with the explosion of mobile phone Internet access and multimedia recording, this opinion would hold that there is nothing more dangerous to a workplace with sensitive information than a college grad with an iPhone. Researchers from UC Berkeley and the University of Pennsylvania recently released a study that confronts these stereotypes, and the findings could make security awareness and education programs much more effective.
There are certainly privacy risks present in social media usage. However, the study suggests that there are a few factors that might make youths (aged 18-24 years) appear to be less privacy-conscious than they are, especially compared with older adults. The study shows with statistical significance that youths are just as concerned about private information, and similarly likely to be reluctant to trade private information for personalized advertising, discounts, or news. The surveyed youths also showed similar understanding of taking basic privacy protection measures, such as clearing browser cookies or reading website privacy policies.
The researchers discovered that differences among various age groups existed not in consciousness of the importance of privacy, but rather in understanding what privacy protections exist, particularly legal protections. The data suggests that those in the “Youth” category misunderstood or overestimated what protections are afforded by the law for individuals, both online and offline. As a result, youths are not equipped to make appropriate risk decisions. Though they might correctly estimate the value of data that needs to be protected, they might overestimate the amount of protection provided for that information by law. Further, in an environment where peers are expected to participate in social networks, trade text messages, and keep up with the latest tech gadgetry, many youths might feel social compulsion to participate in some behavior despite feeling generally uneasy about its privacy implications.
It doesn’t help matters that a decision for the sake of privacy, with the capabilities of current controls in mind, may not hold true for tomorrow’s controls. For example, attendees at Facebook’s recent F8 developer’s convention were introduced to Social Graph, a new set of tools and protocols that can be used to extend social networking onto third-party websites. Alongside the new API, Facebook has adjusted its policies for things like third-party application data retention, removing the previous 24-hour retention limit and making it possible to retain data as long as they are authorized by the user. Platform changes also included an opt-out privacy setting for third-party sites, called Instant Personalization. The change would feed previously restricted information to participating third-party sites unless the user explicitly cleared the appropriate checkbox that appeared in their profile’s privacy settings screen with little, if any, notification.
This places users of all ages in an environment where privacy may be a key concern, but the only stable risk decision is “share nothing” or “share everything.” The “share nothing” approach is impossible in practice, and “share everything” is demonstrably undesirable. What remains is a series of unstable risk decisions, where users believe that they are making a “share something” decision, with the potential that the boundaries are shifted outside of a controlled environment and into the “share everything” domain. Users believe, for example, that their list of friends is available only to their friends; then the boundaries are shifted and anyone can browse their list of friends.
Implications for Security Awareness
It may seem that valuing privacy and making sound risk decisions are only barely separate from each other, but we have known for some time that motivation is a key factor in gaining support from users in upholding security policy. If understanding the efficacy and existence of security controls is the key reason that a particular demographic is not making good privacy choices, then education should be an effective method to decrease undesirable behavior, and will likely apply across age groups. Security managers should consider seeking greater understanding of the perspective of their users to ensure that excessive confidence is not placed on security controls, which might lead to unwitting, overly risky behavior. Further, administrators could take heed of the problems caused by shifting security boundaries. As technology advances and networks and systems evolve over time, security awareness should include updates to make users fully aware of the necessary changes to their thinking that should accompany architectural advances.