Study on the Privacy of Personal Data and on the Security of ... - AEPD

Royal Decree 1720 / 2007 should be underlined. It stipulates that the ...... Marta Rizo García, Autonomous University of Mexico City. 16 From the "Castilla y León ...
2MB Größe 9 Downloads 173 vistas
Instituto Nacional de Tecnologías de la Comunicación

Study on the Privacy of Personal Data and on the Security of Information in Social Networks

INFORMATION SECURITY OBSERVATORY

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 1 of 143

Instituto Nacional de Tecnologías de la Comunicación

February 2009

This publication belongs to the Instituto Nacional de Tecnologías de la Comunicación –INTECO- (Spanish National Institute of Communication Technologies (INTECO) and the Agencia Española de Protección de Datos –AEPD(Spanish Data Protection Agency), is under a Creative Commons Spain 2.5 Attribution Non-commercial license, and for this reason copying, distributing and displaying this work is permitted under the following circumstances: • Attribution: The content of this report can be totally or partially reproduced by third parties, specifying its source and expressly referring to both INTECO and AEPD its website: www.inteco.es, www.agpd.es. This attribution can in no event suggest that INTECO or AEPD provides this third party support or supports the use made of its work. • Non-commercial Use: The original material and the resulting works can be distributed, copied and shown as long provided that it is not for commercial purposes. When the work is reused or distributed, its license terms must be made very clear. Some of these conditions may be not be applicable if the copyright license is not obtained from INTECO and the AEPD. Nothing in this license impinges or restricts INTECO's and AEPD's moral rights. Full license text: http://creativecommons.org/licenses/by-nc/2.5/es/

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 2 of 143

Instituto Nacional de Tecnologías de la Comunicación

INDEX INDEX..................................................................................................................................3 EXECUTIVE SUMMARY .....................................................................................................7

1

I

Situation: definition of a social network ....................................................................7

II

Analysis of the most relevant aspects and specific problems of social networks. ...8

III

Proposals and recommendations to the parties involved in social networks. ........12 INTRODUCTION AND OBJECTIVES ........................................................................20

1.1 1.1.1

Spanish National Institute of Communication Technologies (INTECO) .........20

1.1.2

Spanish Data Protection Agency ...................................................................21

1.2

Contextualizing the study ...................................................................................22

1.3

Objectives of the Study. .....................................................................................23

1.4

Methodology ......................................................................................................24

1.4.1

Phase I. Data Collection and Fieldwork .........................................................24

1.4.2

Phase II. Information Analysis........................................................................28

1.4.3

Phase III. Recommendations and conclusions ..............................................29

1.5 2

Presentation .......................................................................................................20

Content Structure ...............................................................................................30

SITUATION: DEFINITION OF SOCIAL NETWORKS ................................................31 2.1

Characterizing Social Networks. ........................................................................31

2.1.1

Theoretical Basis............................................................................................31

2.1.2

Origin and evolution .......................................................................................31

2.1.3

Definitions ......................................................................................................33

2.1.4

Keys to success .............................................................................................35

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 3 of 143

Instituto Nacional de Tecnologías de la Comunicación

2.2

Typology of social networks ...............................................................................37

2.2.1

Generalist and recreational social networks. .................................................38

2.2.2

Professional Social Networks.........................................................................40

2.3

Value chain and business models .....................................................................43

2.3.1

Value chain of social networks. ......................................................................43

2.3.2

Business models. ...........................................................................................45

2.4

Risks implied by the use of social networks .......................................................57

3 ANALYSIS OF THE MOST IMPORTANT ASPECTS AND SPECIFIC PROBLEMS OF SOCIAL NETWORKS ........................................................................................................61 3.1

Protection of the right to honor, personal and family privacy and image. ..........62

3.1.1

Definition of the right ......................................................................................62

3.1.2

Applicable Law ...............................................................................................65

3.1.3 Possible risks. How could the right to honor, privacy and image be affected in a Social Network?.......................................................................................................69 3.1.4

Vulnerable Groups. Underage and legally incapacitated users. ....................70

3.1.5

Measures to protect the right to honor, privacy and image ............................73

3.2

Personal Data Protection ...................................................................................75

3.2.1

Definition of the right ......................................................................................75

3.2.2

Applicable law: regulation and its evolution ...................................................76

3.2.3 Possible risks on social networks. ¿How does personal data could be affected? .....................................................................................................................87 3.2.4

Vulnerable Groups. Underage and legally incapacitated persons. ................93

3.2.5

Measures taken to protect the personal data of users. ..................................95

3.3 3.3.1

Intellectual Property protection in social networks .............................................96 Definition of the right ......................................................................................97

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 4 of 143

Instituto Nacional de Tecnologías de la Comunicación

3.3.2

Legal framework: regulations and its evolution. .............................................98

3.3.3 Probable risks. ¿How could Intellectual Property Rights be affected in a social network? ...................................................................................................................101 3.3.4

Groups specially protected. Underage and legally incapacitated persons...103

3.3.5 Measures to protect the rights to intellectual property of users and third parties. 104 3.4

Protection of Users and Consumers ................................................................106

3.4.1

Definition of the right ....................................................................................107

3.4.2

Applicable Regulations: Regulation and its evolution ..................................107

3.4.3

Possible risk. ¿How do these rights could be affected?...............................110

3.4.4

Specific Cases. Underage and legally incapacitated persons. ....................112

3.4.5

Measures to protect the rights of users and consumers ..............................112

4 Proposals and recommendations addressed to the agents participating in social networks ..........................................................................................................................115 4.1

Proposals and recommendations addressed to the Industry ...........................116

4.1.1 Proposals and recommendations addressed to social networks and the collaborative platforms..............................................................................................116 4.1.2 Proposals and recommendations addressed to the manufacturers and the providers of computer security .................................................................................121 4.1.3 Proposals and recommendations addressed to the Internet Services Providers (ISP) .........................................................................................................123 4.2 Proposals and recommendations addressed to the Administrations and Public Institutions ....................................................................................................................124 4.2.1

From a normative point of view ....................................................................124

4.2.2

From an executive and administrative point of view ....................................127

4.2.3

From an educational and informative point of view ......................................127

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 5 of 143

Instituto Nacional de Tecnologías de la Comunicación

4.3

5

Proposals and recommendations addressed to the users and the associations 128

4.3.1

Protection of personal data, honor, intimacy and personal image ...............128

4.3.2

Intellectual property ......................................................................................129

4.3.3

Technology and security ..............................................................................129

4.3.4

Protection of underage users .......................................................................129

Conclusions ..............................................................................................................132

Annex I.............................................................................................................................135 INDEX OF GRAPHS........................................................................................................141 INDEX OF TABLES .........................................................................................................142

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 6 of 143

Instituto Nacional de Tecnologías de la Comunicación

EXECUTIVE SUMMARY I

Situation: definition of a social network



Online social networks are services that let their users to create a public profile where they can introduce personal data and information. The users have different tools to interact with each other.



The growth of these platforms is based on a viral process, by which the initial users send an email invitation to their different contacts requesting to join the website.



These new services are strong channels of communication and interaction that enable the users to act as segmented groups: for entertainment, communication, professional purposes, etc.



The main objective of a social network is reached when the users use it to convene events and actions that have an impact on the offline world.



The latest statistics (from the Universal McCann Study of March 2008: “Power to the people social media. Wave 3”) has estimated that the number of users of social networks is 272 million, which represents 58% of the Internet users worldwide.



In Spain 1 , as underlined in the Universal McCann Study, 44.6% of the Internet users are using these services to be connected with their friends and close family, or to look for persons they have lost contact with. Applying this percentage to the data registered by the Wave XX from Red.es, which highlighted that “between January and March 2008, around 17.6 million of people have used the Internet the month before”, it is estimated that 7.85 2 million of regular users -above 15 years old and who had Internet connection during the last month- use social networks.



In addition, it has been noticed that the percentage of social networks users is higher among underage users and declines with age: 7 out of 10 Internet users are younger than 35 years.

1

Even if there are different sources of information, they all agreed that in 2008, the number of Spanish Internet users who are regularly using social networks is around 40 to 50%.

2

One has calculated applying the percentage for Spain, of the data of the Study of Universal McCann to the number of habitual users of Internet obtained from the data of Big wave XX of Red.es.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 7 of 143

Instituto Nacional de Tecnologías de la Comunicación

II

Analysis of the most relevant aspects and specific problems of social networks.

The reputation of these online spaces is not free from the risk of potential malicious attacks. The National, European and International authorities had tackled the problem and had agreed to develop standards and recommendations 3 to ensure secure access for users with a specific attention to underage users. This chapter provides an in-depth analysis of the most relevant legal issues that directly affect social networks: Protection of honor, personal and family privacy and image. The right to honor is inalienable and represents the right to have a proper image, name and reputation. It means the respect of the person, regardless of the circumstances. The right to privacy protects the most intimate sphere of the person’s life, and is closely linked to the protection of individual dignity. Finally, the right to image is intended to safeguard the image of a person in the public area. In Spain, the protection of these rights are contemplated in the The Spanish Ley Orgánica 1/1982 de 5 de mayo, de Protección Civil del detector al Honor, Personal y Familiar, Privacidad y Propia Imagen (the Organic Act 1/1982 on the Protection of Civil Rights to Honor, Personal and Familial Privacy and Image), which goes further than the provision of the Constitution stipulated in the Article 18.1 SC (Spanish Constitution or Spanish Bill of Rights). However, some situations are not expressively regulated and in certain conditions (while using social networks and collaborative websites), this may be a risk for the rights of users. Among the potential risks to privacy, we can include the following aspects:

3

The main regulatory initiatives come from the international plane, especially of the European Commission and the Work group of the Article 29, that in the last months has made its intention public to regulate in the smaller possible term all the aspects related to the security and collaborative protection of the users of the social networks, Web sites, blog and other means of interaction of users in Internet. Thus, the past 15-17 of October of 2008, was celebrated the 30 Conference the International of Authorities of Protection of Data and privacy in Strasbourg. In her one remembered carry out a proposal of normative regulation of this type of platforms that fulfills the following requirements: to be a world-wide norm, legally indispensable to any type of lender, regardless of where one is located; that it equips to the users of a series of protections considered basic at the time of developing his activity in the Network; that he guarantees basic a minimum protection and for the minors, native of this type of services and especially unprotected users before these, as well as that the lenders settle down a series of technological measures directed to the protection of the users. Of this form, the next month of November of year 2009 will be celebrated in Madrid, the 31 Conference the International of Protection of Data, in which a first rough draft of the world-wide regulation in the matter of protection of data will set out, for its later debate and approval at international level.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 8 of 143

Instituto Nacional de Tecnologías de la Comunicación



While registering: the users might not be able to configure the privacy level of the profile, thus publishing sensitive information while beginning to use the social network.



While participating in the network, the users might publish sensitive information, data and images that have an impact not only on their privacy, but also on third parties. o

Personal privacy: even if the users are voluntarily publishing their data on the network, the effects on their privacy might be deeper than believed at first sight, because these platforms have powerful tools to exchange, process and analyze the information provided by their users.

o

Respect of the privacy of third parties: it is essential for the users to bear in mind that the publication of personal information and data related to third parties cannot be done unless these ones have expressively authorized their publication, and could request an immediate withdrawal.

Finally, it is important to highlight that in most cases, social networks allow search engines to index users´ profiles, along with contact information and profiles of friends, which may represent another risk for privacy. •

While unsubscribing from the platform, the users request to remove their profile, but some data might still remain, either personal information or pictures posted on the profiles of other users.

Furthermore there is in Spain a specific protection for children who are massive users of such online services. They enjoy a higher status of protection insofar as the intervention of their parents or guardians is required in many circumstances. During the past few years, the level of awareness regarding the protection of privacy and personal data has been increasing. A law related to those matters has been published: the Spanish Ley 34/2002, de 11 de julio de Servicicios de la Sociedad de la Información y del Comercio Electrónico (the Act 34/2002, of July the 11th, regulating The Services of the Information Society and the E-Commerce hereinafter referred LSSICE). It considers the new social reality implied by the use of TIC in general, and by the Internet in particular, and it provides a normative basis to regulate the Internet and its services, in a complete and effective way. However, as stated in the survey, the adaptation of the legislation is more and more complex due to the rapid growth of new services associated to the Information Society, such as social networks. Therefore, it is necessary to initiate and develop a new concept

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 9 of 143

Instituto Nacional de Tecnologías de la Comunicación

of “Technological Law”, based on R&D, ensuring the protection of the users without hindering the development of such services. Protection of personal data The fundamental right to data protection is specifically regulated by the Article 18.4 of the Constitution, unlike the right to privacy, and it gives its holder the legal power to “control the use that is made of his/her personal dada, including, among others, preventing their personal information from being used for other purposes than the ones for which it was obtained” 4 . Given the large amount of personal data that the users publish on their profiles, these ones are turning out to be genuine “digital identities” providing a quick understanding of the users preferences, habits, etc. The protection of personal data has been widely developed at the European and national level. In Spain, a specific legislation has been implemented through the Spanish Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal (Organic Law 15/1999 on Data Protection, hereinafter referred to as the LOPD, and through the Royal Decree 1720/2007 of December the 21th, which approves the Regulation on the Implementation of the Organic Law for Data Protection hereinafter referred to as the RLOPD). An extensive effort of interpretation has been realized by the Agencia Española de Protección de Datos (Spanish Data Protection Agency) which had solved cases of violation of data protection rights, derived from the use of the new services offered by the Information Society. These resolutions guarantee the users the best protection of their rights. However, as underlined during the interviews and the discussion groups, the protection of personal data is particularly difficult when it comes to social networks since they are based on the publication of data by the users themselves. Thus, among the potential risks for the protection of personal data are included:

4



Cases of phishing and pharming. Both are pretty much exploited by cyber-criminals to collect the personal or economical data of Internet users (credit cards, PIN, etc.).



Social Spammer and spam. The use of social networks as platforms for sending undesired emails.



Non-authorized indexing by the Internet search engines.

Extract of the Constitutional Sentence 292/2000.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 10 of 143

Instituto Nacional de Tecnologías de la Comunicación



Uncontrolled access to profiles. Most social networks publish completely the information in profile of users, or at least a part of it, so any user of the social network can access to personal information without the owner’s express consent.



Identity stealing. It is more and more common for users who had never registered for online social networks, to realize while doing so that their “digital identity” is already being used.



Hyper-contextualized Advertising. This gives a priori an advantage to the users since it prevents the display of irrelevant and even offensive contents while navigating. However, from a legal point of view, it could be considered as an illegal practice, because, in order to contextualize the advertising, the data and preferences of the users are being examined.



The installation and the use of “cookies” without the consent of social network users. Another possible risk related to their participation lies in the possibility that the website uses cookies enabling the platform to know about the users activities. Thanks to these tools, social networks can know the place from which the user is connected, the connection time, the device from which he/she accesses the platform (fixed or mobile), the operational system he/she uses, the most visited pages within the website, the number of clicks made, and many other data regarding the user’s life in the network.

Regarding the existing measures related to the protection of personal data for particularly vulnerable groups - minors and legally incapacitated- the particular importance of the Royal Decree 1720 / 2007 should be underlined. It stipulates that the providing of personal data for minors under 14 years old requires the consent of their parents or guardians. In addition, this rule explicitly states that the obtaining of the child’s consent should be simple and easily understandable and that no information concerning his/her friends and relatives could be asked to him/her. Protection of intellectual property Regarding the protection of intellectual property in such platforms, it has been underlined that there is an increasing number of protected contents that are being used, shared and disseminated through social networks and collaborative websites without the authorization of their owner. The protection of intellectual property is the right that the author has on his/her literary, artistic or scientific work. Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 11 of 143

Instituto Nacional de Tecnologías de la Comunicación

In Spain, the Act on Intellectual Property grants the authors exclusive rights on their work, meaning that any reproduction, transmission or publication of their work must be done with their authorization. Both the national and European legislation are very strict so that nobody can exploit intellectual property rights without permission from the author. However, when it comes to the violation of the rights on intellectual property, we must distinguish between the situations where it is the users who are actually infringing the law and the ones where social networks do so through their General Conditions. Social networks, while trying to fight against the unauthorized distribution of contents through their platform, have implemented automatic mechanisms for the users to selfregulate the contents published on the network. They allow the user to “denounce” contents that do not meet the conditions for registration or that violate both the rights the users have over their works, or the ones of third parties. Protection of consumers and users It has to be considered that one of the main advantages of such platforms is the ability to obtain economical benefits from advertising and from the applications developed by the users of the network. The easiness with which users can advertise or can receive announcements of products and services is tremendous compared to the physical world. The commercial success of online advertisement is also increased by the facility with which the products and services can be marketed at distance, and by the fact that social networks have a database of users (potential costumers) perfectly segmented by preferences and profiles. As noted from the interviews and round tables conducted with users and legal experts, the increased collaboration of the users in identifying and controlling the kind of advertising, products and services sold through the network, have helped raising the level of users´ security. Similarly, it is essential for the proper development of the Information Society and for the sale of products and services through social networks to be successful, that potential customers have full trust in the website. This one must observe and comply with the current legislation, and the needed technological requirements. III

Proposals and recommendations to the parties involved in social networks.

After analyzing the data collected during qualitative research, a series of recommendations have been developed. They are addressed to social networks and collaborative platforms, ISP (Internet service providers), manufacturers and service providers of computer security, public administrations and associations, and users:

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 12 of 143

Instituto Nacional de Tecnologías de la Comunicación



The Industry

Social Networks and Collaborative Platforms: The proposed general recommendations focus on: a) the compliance of their services with the European and national legislation, b) on the legal implications of some specific activities, c) on the identification of the technological tools required for their services and d) on the awareness regarding the need for increased security measures and the need for the protection of users. Regarding the specific recommendations: Security and technological recommendations 1. Transparency and easiness to access the information o

It is essential that these platforms expose all the information on their services in a clear and understandable way, so that the language used in their conditions of use and privacy policies is absolutely understandable for any user.

o

It is essential that social networks emphasize within their homepages a specific section dedicated to inform their users.

o

It is recommended to create “microsites” 5 with direct access from the homepage of social networks in which the information is exposed through “FAQs” and multimedia contents.

o

It is essential that social networks maintain their Privacy Policy and Terms of Use without major changes.

2. Ensure user control over the processing of the data and information published on the web by making available the largest number of tools aimed at enforcing their rights in an automatic, simple and quick way. 3. Set, by default, the highest level of security and privacy settings. 4. Ensuring the security of the platform. The proper choice of their Internet service provider (ISP) is vital so that it will ensure the highest level of security: secure servers, backup facilities and secure access, among others. 5. Deletion of information after a reasonable time.

5

Small pages Web, with specific contents that depend on a main one..

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 13 of 143

Instituto Nacional de Tecnologías de la Comunicación

6. Respect of the rights to register and unsubscribe. Recommendations on training and awareness 1. Internal development of websites aiming at making available the maximum level of information possible regarding the treatment of personal data and the implications that may arise from the publication of contents on social networks. 2. Make available to users information on the security measures that have been implemented on the platform and the possible actions they may take in case of violation of their rights. 3. Given that the vast majority of generalist social networks users are underage, it is crucial that social networks and collaborative platforms, together with public authorities, associations and organizations whose purpose is the protection of such groups, lead out joint initiatives to promote the formation of underage users and their guardians about the security of users, investigating the technological opportunities that exist to achieve the identification of users´ age 4. Volunteer programs within the company to collaborate with schools and training centers in order to spread the importance of security and to report the main recommendations to be considered in the use of such services. Addressed to manufacturers and providers of computer security Manufacturers and suppliers of security must take into account two key aspects to achieve the highest level of security: a) the prevention of online fraud, and b) research and development of secure technological tools. In this way, it is recommended to promote in the sector the following aspects: 1. That the marketed applications implemented in social networks have been developed, revised and evaluated in accordance with the quality, security and privacy standards that guarantee their use is respectful and secured towards the users´ rights. Their proper functioning should also be reviewed. 2. The companies dedicated to security should encourage the interoperability of their security systems, promoting the implementation of standard protocols and systems in social networks that will guarantee the compliance of pre-established codes of conduct. 3. In this respect, it is recommended to collaborate directly with the Security Forces of the State in the investigation of new situations of risks for the users, in order

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 14 of 143

Instituto Nacional de Tecnologías de la Comunicación

to develop applications able to detect, act and counteract any unfavorable situations for the users of the platform. 4. It is recommended to the manufacturers and the providers of computer security to be proactive when detecting malicious programming codes (“malware”) that allow security holes in the platform, as well as when elaborating Black Lists, in which will be included the domain names that are presenting unauthorized contents, or that don’t abide by the security criteria previously mentioned. 5. It is recommended for the manufacturers to develop security patches and updates to guarantee that the persons in charge of the platform as well as the users are using entirely updated and secure applications. 6. In this respect, it is recommended for these manufacturers to develop applications that comply with international standards. 7. It is recommended to develop remote applications that allow parents to have complete control over the contents and the operations realized by underage users on the Internet. 8. To include in the technical descriptions of the software processing personal data, the technical description of the basic, medium and high security level mentioned by the LOPD (Legislation on the personal data protection). 9. It is also recommended for the manufacturers of security software together with the relevant public administration to encourage the development of tools dedicated to reduce the reception of spam through social networks and similar platforms. Addressed to providers of Internet access services (ISP) The proposed recommendations for this Group include: 1. Create a platform for secure and reliable communication with the Security Forces of the State and Judicial authorities. 2. The full support and assistance to the Security Forces of the State. 3. Provide information to users and costumers about the security measures that maintain the connection service. 4. Immediately address the complaints when received.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 15 of 143

Instituto Nacional de Tecnologías de la Comunicación

Addressed to administrations and public institutions. Normative point of view: Regarding the protection of personal data, among the proposals, are included the following aspects: •

Global Legal Security: that promotes at the international, or at least at the community level, basic regulatory principles.



It has to be implemented and strengthened penalties for those platforms or users who illegally obtain information.



It is recommended for the public authorities to work for a uniform international law on personal data protection, honor, privacy and image.

Intellectual Property: •

Encourage, or oblige, this kind of platforms to make public or al least to emphasize that the contents published on their network will become their property, before users publish any content on this one.



It is recommended for competent authorities to promote direct agreements between the audiovisual and music industries, and the main content delivery platforms.



It is recommended for the service providers of the Information Society to implement automated, free, simple and effective tools for the owners of works protected by intellectual property rights to denounce unauthorized contents.



To ensure fair compensation for copyright holders.

Costumers and Users: •

It is recommended that the legislation clearly states which authority is competent to deal with complaints from consumers and users.



Promote effective and efficient mechanisms regarding the possibility of blocking access to online platform.

Executive and administrative point of view: •

Specific training in technological law for judges, magistrates, prosecutors and court clerks.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 16 of 143

Instituto Nacional de Tecnologías de la Comunicación



It is necessary to equip the technological squads of Security Forces, belonging to the State, the autonomous communities or the International community, with technological tools that will allow them to investigate, to maintain the chain of custody for electronic evidence and to block situations that will be susceptible to cause a damage to the users of social networks and collaborative platforms.



Development and articulation of fast and free judicial proceedings so that users will be better protected.

Formative and Informative point of view: •

Conduct awareness campaigns on the risks represented by the spreading of personal data in social networks.



Conduct training workshops and outreach programs related to security.



Create classes on data protection and security on the web.



Conduct awareness-raising and promotion campaigns on the security on the Internet through the media 2.0.

Addressed to users and associations After specified is a series of recommendations addressed to the users of social networks and collaborative platforms, which have the objective to inform them upon the benefits these kinds of services might bring but also the damageable -but easily avoidablesituations they might be confronted to while using them. 1.

It is recommended for all users to use pseudonyms or nicknames, enabling them to have a genuine “digital identity”.

2.

It is recommended for the users to be especially careful when publishing audiovisual contents and graphics on their profiles since they may put at risk their privacy and the privacy of those around them.

3.

It is recommended to review and read before registering as a user, the conditions of use and the Privacy Policy of the platform.

4.

It is recommended to configure adequately the degree of the profile privacy in the social network, so it is not completely public but only available to those that have been cataloged as “friends” or “direct contacts” previously by the user.

5.

It is recommended to accept as a contact only the persons, which are known.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 17 of 143

Instituto Nacional de Tecnologías de la Comunicación

6.

It is recommended not to publish in the user profile contact information, allowing anyone to know where the user lives, works or studies and the daily or leisure places that the user usually attends.

7.

For the users of microblogging tools 6 it is recommended to take special care regarding the publication of information on places that are at all times.

8.

It is recommended to use and disclose only the contents the user has rights upon.

9.

Users are encouraged to use different usernames and passwords while entering social networks they are a member of.

10.

It is recommended using passwords with a minimum length of 8 characters, alphanumeric, with and without capital letters.

6

11.

It is recommended that all users have on their computers antivirus software properly updated.

12.

Underage users should not reveal personal information. It should never be provided data to strangers.

13.

All information concerning the website should be read. It has to be explained who are the owners and the purpose for which the data are required.

14.

If the user is under fourteen, is also required the consent of the parents or guardians. In these cases, their consent will be request while subscribing/accepting friends, etc.

15.

The users should not communicate to others their usernames and password, or share them with friends or classmates. These data are private and should not be communicated to third parties and / or unknown persons.

16.

Whenever there are any questions regarding any situation arising from the use of social networks and collaborative tools, it has to be asked to the parents or guardians.

17.

The computer must be kept in a common area of the house.

18.

There should be some rules on the use of Internet at home.

This type of platforms is based on the constant update of the user profiles. More information where be

abaible at Chapter 3 of this document.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 18 of 143

Instituto Nacional de Tecnologías de la Comunicación

19.

Parents should explain the benefits and the risks of such platforms to their children.

20.

Activate the parental control.

21.

Ensure that age verification controls are implemented.

22.

Ensure the correct implementation of the unapropiated content blocker.

23.

Teach children about security issues.

24.

Explain to children that they must never meet anyone they have met online and if they do so their parents or guardians must always accompany them.

25.

Ensure that the children know the risks and implications of hosting content as videos and photographs, as well as the use of webcams through social networks.

26.

Check the user profile of the children.

27.

Ensure that the children only access to the pages recommended for their age.

28.

Ensure that the children do not use their full name.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 19 of 143

Instituto Nacional de Tecnologías de la Comunicación

1

INTRODUCTION AND OBJECTIVES 1.1

1.1.1

Presentation Spanish National Institute of Communication Technologies (INTECO)

The Spanish Instituto Nacional de Tecnologías de la Comunicación (INTECO): The Spanish National Institute of Communication Technologies, sponsored by the Ministry o Industry, Tourism and Trade, is a platform for the development of the Information Society through innovative and technological projects: firstly, to contribute to the convergence of Spain with the European Information Society, and secondly, to promote regional development. The mission of INTECO is to promote and develop innovative projects related to the field of Communication and Information Technologies (TIC) and the Information Society, in order to improve the position of Spain in Europe and to provide the country new competitive advantages, by extending its abilities in both the European and the Latin American environment. Thus, the Institute intends to be a development center of strong public interest aiming at developing the use of new technologies in Spain. The social objective of INTECO is the management, counseling, advocacy and spreading of technological projects related to the Information Society. To do this, INTECO develops actions that follow the strategic lines of a) the Technological Security, b) the Accessibility and c) the Software Quality. El Observatorio de la Seguridad de la Información: The Information Security Observatory is inserted into the strategic line of actions of INTECO for Technological Security. The Observatory aims at describing in detail the level of security and trust regarding the Information Society. It seeks to generate expertise in the area. Thus, it is at the service of the citizens, the companies and the Spanish administration to describe, analyze, and spread the culture of Information Security and e-Trust. The Observatory has designed an Activities and Researches Plan in order to produce useful knowledge and expertise related to security on the Internet and to develop recommendations and proposals to define trends that will be valid for future decisions of public authorities. Within this action plan are carried out researches, analysis, studies, counseling and outreach to address, inter alia, the following aspects:

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 20 of 143

Instituto Nacional de Tecnologías de la Comunicación



Development of internal studies and studies on the Security of TIC, with special emphasis on the Internet Security.



Monitoring of key indicators and of public policies related to the security of information at the national and international level.



Creation of a database to enable the analysis and evaluation of the security and trust with a time perspective.



Promotion of researches on secure technologies.



Spreading of studies and reports published by other entities and national and international organizations, as well as of information on current national and European policy on security and trust regarding the Information Society.



Advising the government on the security of information as well as supporting the development, monitoring and evaluation of public policies in this field.

More information: http://www.inteco.es More information: http://observatorio.inteco.es 1.1.2

Spanish Data Protection Agency

The Spanish Data Protection Agency is an entity that operates independently from the government and that aims at enforcing and implementing the provisions contained in the Spanish Ley Orgánica 15/1999 de Protección de Datos (Organic Act 15/1999 on Personal Data Protection, hereinafter refered to as the LOPD) and its implementing rules. Its functions are to ensure the compliance with the data protection legislation and to monitor its implementation, particularly regarding the rights to information, access, rectification, opposition and cancellation of data. Among its functions may be underlined the following points: ƒ

An obligation to answer requests and complaints that may be made by those affected by this issue.

ƒ

The power to sanction violations that may be committed in this field.

ƒ

Statistical data collection.

ƒ

Informing on the standards impacting the protection of data.

ƒ

Issue instructions and recommendations for a proper compliance with the LOPD.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 21 of 143

Instituto Nacional de Tecnologías de la Comunicación

More information: http://www.agpd.es 1.2

Contextualizing the study

Nowadays Internet is an arena of social relationships based on the increasing involvement of its users in: •

The editing, validation and publication of contents in various formats: text, audio, video.



The specialization of the published contents. The websites are segmented in a variety of communities ranging from pure entertainment to professional life. Users are also segmented by groups of age: teenagers, adults, etc.

The technological and social changes have contributed to the establishment and the growth of this new popular form of creation based on the collaboration and the access to information. The current trend on the Internet is now to focus on the user- through forums, blogs, wikis and social networks- in other words, all those utilities and services that are based on a database that the users may change while processing the contents (adding, changing or deleting information). Unfortunately, these social spaces are not free from danger or possible malicious attacks: •

The user provides a series of personal data to register for these sites that are protected by the Spanish law. Moreover, the very nature of these sites means that their users will include extensive information about their preferences and needs, which also has to be protected, especially in the case of underage users and persons without legal capacity to act. The fact that social networks are based on the principle of making publicly available the maximum amount of information, causes, both directly and indirectly, the emergence of innumerable legal problems only partly covered by the Spanish legislation.



Some of the most representative sites have been targeted by online fraud. There have been situations where a person steals the identity of a legitimate company or a trusted friend, in order to obtain personal information, PIN or credit card numbers.



It is common for users to use the same password for the different virtual communities they belong to, which means that a violation of one of them can affect

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 22 of 143

Instituto Nacional de Tecnologías de la Comunicación

all the data they have provided in their communities. The situation is exacerbated when users use the same password to manage their financial activity. In this context, the users´ security (especially underage and legally incapacitated users) and the security of information, as well as the protection of privacy and personal data will constitute the most relevant part of the analysis. Indeed, it becomes necessary to conduct a study that will examine, investigate, and develop on: a) The security, b) The legal and social aspects and c) The technological characteristics of the social networks that operate in Spain, with a specific attention to their effects and their use by underage people. This study will also revealed the different opinions shared by the sector in order to guide future private or public initiatives aiming at reaching a good balance between the potential of these new tools, their limits and the rights of their users. 1.3

Objectives of the Study.

The overall objective of the study is to develop an analysis on the security of social networks and collaborative platforms, with a specific attention to underage and legally incapacitated users, through an assessment and a diagnosis of a) their legal, technological and sociological aspects, b) the security of their contents, c) the agents participating in them, d) the privacy and the data protection of the users who are related to each other through these websites. This overall objective will be divided into specific sections: •

Legal analysis of social networks to determine the legal responsibilities and obligations of these service providers in Spain.



Comparative study on the laws affecting these platforms for the European Union and for the U.S. with a particular attention to the penetration of social networks in these countries as well as to the legislative initiatives and projects related to them.



Analysis of the different actors involved in the collaborative webs (ISP, advertising agencies, content agencies, etc.) regarding their legitimacy and their responsibility in the functioning of these platforms.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 23 of 143

Instituto Nacional de Tecnologías de la Comunicación



Technological and sociological analysis of social networks, which will describe the functioning of these new forms of social interaction: flow of information and tools to share contents and communicate with other users.



Analysis of the privacy and data protection of the users and the people who maintain relationships through social networks.



Analysis of the security: assessment of the specific risks that might arise from the use of these websites especially for underage and legally incapacitated users.



Analysis of the specific case of underage and legally incapacitated persons regarding the protection of their personal rights and the protection of their honor, privacy and image.



Delimitation of the potential threats and risks while using this kind of collaborative networks. Measures to reach the proper balance between the possibilities of these tools, their legitimacy and the protection of the privacy and the data of the users.

With the achievement of these objectives, we want to provide information and recommendations for action regarding the legal, technological and security aspects of this kind of platforms. 1.4

Methodology

The methodology used for this survey has been designed with the following objective: providing updated information on the situation and the vision of the users, the industry and the public sector, as well as providing the most rigorous analysis on the legal and technological aspects affecting social networks and collaborative websites. The study and the analysis was developed in different phases: 1.4.1

Phase I. Data Collection and Fieldwork

The objective of this phase was to obtain as much information as possible regarding the phenomenon of social networking. The following tasks have been realized: 1. Documentary search for resources related to social networks a) Official documentation published by the European Union and International institutions 7 .

7

Among others: Grupo de Trabajo del Artículo 29; European Network and Information Security Agency, Foro de Cooperación Económica Asia Pacífico (APEC), etc.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 24 of 143

Instituto Nacional de Tecnologías de la Comunicación

b) Studies released by private entities. c) Statistical analyses of social networks. d) Articles and news. 2. Identification of the main actors involved in the phenomenon of social networks in Spain. Their level of compliance with the national legislation and their specific aspects will be considered later in the studies. 3. Conducting a Survey of 2.860 Internet users (over 15 years old) on the use of social networks between April and June 2008 8 .The characteristics of the fieldwork for this survey are described bellow: •

Population of concern: Spanish users with frequent access to the Internet from home (at least once a month) and older than 15 years old.



Sampling method and distribution: We have extracted a representative sample of 2.860 Internet users, according to the following model: o

Stratification

by

Autonomous

Communities

to

ensure

their

proper

representation. o

8

Sampling by quotas (household, age, sex, activity and resources 9 ).

Quantitative results obtained from the sample are based on opinions and perceptions of the surveyed users.

9

Provided by Red.es, a public company belonging to the Ministry of Industry, Commerce and Tourism. (“TIC in Spanish homes: 11th Wave-October 2006”).

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 25 of 143

Instituto Nacional de Tecnologías de la Comunicación

Table 1: Sampling by Autonomous Communities (%) Autonomous Communities Andalusia Aragon Asturias Balearic Islands Canaries Cantabria Castille-La Mancha Castille and Leon Catalonia Basque Country Extremadura Galicia Madrid Murcia Navarre La Rioja Valencian Community

Obtained Sample 15.2 3.5 3.6 1.9 4.3 1.4 3.0 6.2 17.0 5.1 1.6 6.4 16.8 2.2 1.0 0.4 10.2

Theoretical Sample 15.2 3.0 2.5 2.7 4.7 1.3 2.9 5.4 18.5 4.7 1.4 4.5 18.6 2.5 1.4 0.7 10.0 Source: INTECO

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 26 of 143

Instituto Nacional de Tecnologías de la Comunicación

Table 2: Sampling by Socio-demographic Categories (%)

Concept Activity Workers Unemployed Students Retired Others/Inactive Household 1 2 3 4 and more Sex Man Woman Resources More than 20.000 From 20.001 to 100.000 More than 100.000 Age Up to 24 25-35 35-49 50 y more

Obtained Sample 83.9 7.8 3.2 2.7 2.4

71.7 4.6 16.1 3.0 4.6

8.2 22.6 24.3 45.0

3.2 15.4 28.7 52.7

51.0 49.0

53.7 46.3

28.1 24.8 47.2

24.8 24.1 51.1

21.6 37.1 32.4 8.8

23.4 28.2 31.8 16.6

Sampling base =2.860



Theoretical Sample

Source: INTECO

Capture of information: Online interviews from a panel of Internet users with a total of 2860 respondents.



Fieldwork: Carried out between April and June 2008.



Sampling error: According to the criteria of simple random sampling for dichotomous variables in which p=q=0.5 and with a confidence level of 95.5%, the following calculation of sampling error is: Total sample n= 2.860, sampling error ±1.87%.

4. Conducting in-depth 35 interviews: a) Responsible for various legal and technological social networks. Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 27 of 143

Instituto Nacional de Tecnologías de la Comunicación

b) Social Networks users. c) Professionals in the field of Technological Law and Information Security. d) Public institutions and non-profit organizations. 5. Creation of 3 discussion groups: a) A “Legal and Information Security” Group. b) A Group of social network users. c) A Group of underage users of social Networks. 1.4.2

Phase II. Information Analysis.

Following the completion of the fieldwork and the collection of the information available on the phenomenon, social networks have been analyzed from the following points of view: Legal Aspects •

Protection of the rights to honor, image, intimacy and privacy.



Protection of Personal Data.



Protection of consumers and users.



Protection of intellectual property.



Protection of underage and legally incapacitated users.



Protection of workers.

Aspects related to the information security. •

Security systems configured by the websites.



Systems for the internal protection of users and contents. Systems of complaints.



Systems for anticipated settlement.



Systems for the protection of underage and legally incapacitated users.

Aspects related to the business models and the means of exploitation •

Creation of social networks.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 28 of 143

Instituto Nacional de Tecnologías de la Comunicación



E-commerce through social networks.



Value chain.



New business lines and problems related to their security.

Aspects related to the social perception of social networks •

Social networks as a new form of social contacts.



Social networks and trend creation.



Sociological dangers generated by social networks.

The analysis of social networks is based on all those aspects. These platforms can be considered as a new social reality by which the users could develop themselves as individuals. The analysis also focused on the industry. It highlights its key challenges and vulnerabilities. 1.4.3

Phase III. Recommendations and conclusions

After analyzing and classifying the collected information, and after clarifying the results of the interviews, we detected a certain number of patterns related to the opinions of social network users and the purposes of these platforms. The recommendations focus on the best ways to improve social networks, and also on the correct use of these ones by their users. Thus, the recommendations are addressed to: •

The industry: recommendations to handle the main problems detected while realizing the studies and conducting the interviews and discussion groups.



Public administrations: recommendations to the various organs of the administration in order for them to have the necessary knowledge to better protect the interests of social networks users.



Users and associations: recommendations for them to have valid information on how to operate while using social networks.

The conclusions of the document aim at dealing with the largest number of situations that might be encountered in the field of social networks.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 29 of 143

Instituto Nacional de Tecnologías de la Comunicación

1.5

Content Structure

This study is divided into the following parts: Situation and definition of social networks Offers a clear and simple overview on the current situation of the sector (the existing social networks and the key business models) in order to better understand the problematic rose by these platforms and their position on the market. Analysis of the most relevant aspects and the specific problems of social networks. This section evokes the main rights protecting the users of social network especially those of the third Group (underage and legally incapacitated users) and the workers. The analysis focuses on the legislation, the applicable protective measures and the attitudes of social networks regarding these aspects. It has been divided into four fields: •

The right to honor, privacy and image: the actions of both users and networks are taken into account. The analysis goes beyond the sphere of data protection, e.g. transfers of images for commercial purposes.



Protection of personal data: we studied the activities of different social networks, taking into account inter alia: the kind of users, the collected data and the way to process them.



Intellectual and industrial property: from the perspective of intellectual property, the transfers of rights via collaborative platforms and their applications have been studied. From the perspective of industrial property, the uses of trade names and trademarks by the platforms and their users have been examined.



Consumers and users: The various defensive measures available to the users of social networks have been discussed.

Recommendations and conclusions The recommendations focus on the best ways to improve social networks, and also on the correct use of these ones by their users. These recommendations are addressed to the industry, the government, the users and their representative associations. The conclusions have been specifically drafted to apply to the largest number of situations related to social networks and collaborative websites.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 30 of 143

Instituto Nacional de Tecnologías de la Comunicación

2

SITUATION: DEFINITION OF SOCIAL NETWORKS

This chapter provides an overview on the current situation of various social networks, the kind of networks available for the public and the main business models used in this sector in order to understand the situation and the problems related to this kind of platforms and their current position on the market. 2.1 2.1.1

Characterizing Social Networks. Theoretical Basis

Social Networks refer to online platforms from which registered users can interact, share information, images or videos, allowing these publications to be immediately accessible by all the users of their group. The analysis of social networks has been appearing in many social studies during the past twenty years: they are considered as a new tool for analyzing individuals and their social interactions. Since they focus on the personal and collective relationships and not on the characteristics of the individuals (race, age, income, education) they have been used to study the habits, tastes and ways of interacting among social groups. Any social networks is based on the theory of six degrees of separation 10 , according to which any individual can be connected to any other person on the planet through a chain of acquaintances with no more than five intermediaries (with a total of six connections) The number of acquaintances increases as do the links in the chain. Individuals in the first degree are the closest friends and familys. As the degrees of separation increase, the relation and the trust decrease. The Internet and the development of powerful software applications enabling the creation of platforms dedicated to the exchange of information and the interaction between individuals have meant a real revolution favorable to the emergence of the concept of social network, as it is known today. The universality of the web enables to quickly expand the number of contacts and to build closer ties between users who have common interests. 2.1.2

Origin and evolution

The first social network was created in 1995, when Randy Conrad conceived the website “classmates.com”. This social network was intended for the users to retrieve or keep in touch with former colleagues from school, institute, university, etc. 10

Theory developped in 1929 by the Hungarian writer Frigyes Karinthy. Also mentionned in the book “Six Degrees: The Science of Connected Age” of the sociologist Duncan Watts, who says that anyone is accesible on the planet in only six jumps.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 31 of 143

Instituto Nacional de Tecnologías de la Comunicación

In 2002 websites that promote networking among circles of online friends began to appear, gaining popularity in 2003 with the creation of websites like MySpace or Xing. The popularity of these platforms has grown exponentially. Large multinational companies then developed new projects taking advantage of the success of social networks: for example, Orkut by Google or Yahoo! 360º by Yahoo!. Then focused social networks had begun to appear 11 . Table 3: Social Networks 1995 1997 2002 2003 2004 2005 2006 2007

Classmates SixDegress Friendster MySpace Orkut Yahoo!360º Facebook Lively

Fotolog LinkedIn Bebo Twitter

Hi5

SecondLife

Tuenti Source: INTECO based on Panda Security

The increased popularity of social networking was parallel to the increasing number of websites dedicated to the exchange of contents. This converted the Internet as a new mean for social interactions, entertainment and sharing contents. At the earliest stage, users where considered as mere consumers of contents created by others. Now they can create their own contents with a computer, a connection to the Internet and basic knowledge in Internet use. The expansion of this phenomenon had been measured lately by the Universal McCann Study (3rd Wave Study of the Power to the people social media. March 2008), which estimated the number of social networks users to be 272 million. It represents 58% of the registered Internet users worldwide, and an increase of 21% compared to the data recorded in June 2007. In Spain 12 , as underlined in the Universal McCann Study, 44.6% of the Internet users are using these services (Graph 1) to be connected with their friends and close family, or to 11

In Spain, some social networks (Minube.com, Patatabrava.com, Moterus.com, VIVO.com) are dedicated to specific sectors such as travelling, motorcycles and entertainment.

12

Even if the sources of information are diverse, they all agreed that, for 2008, the number of Internet Spanish users who are regularly using social networks is around 40 to 50%. It was, for example, 50% according to Zed Digital (The Phenomenon of social networks. Perception, uses and advertisment. November 2008) or 45% according to The Cocktail Analysis (Observatory for the assessment of social networks. Online communication tools: Social networks. November 2008).

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 32 of 143

Instituto Nacional de Tecnologías de la Comunicación

look for persons they lost contact with. Applying this percentage to the data registered by the Wave XX from Red.es, which highlighted that “between January and March 2008, around 17.6 million of people have used the Internet the month before”, it is estimated that 7.85 million regular users -above 15 years old and that had Internet connection during the last month- are using social networks 13 . Graph 1: Percentage of Social Network Users in Spain. March 2008.

44.6 53.4

Use

Don't use

Source: INTECO based on Universal McCann

These new services are configured as powerful channels of communication and interaction, allowing the users to act as segmented groups (for entertainment, communication, professional life, etc...) The network is consolidated, therefore, as a space to build relationships, communities and other social systems in which participation is motivated by reputation. 2.1.3

Definitions

The concept of social network has been widely discussed by professionals from different sectors, and there is currently no absolute and widely accepted definition.

13

In this sense it is possible to indicate that in 2008, a study realised by the company of market studies

comScore revealed that 8.828.000 Spaniards belonged to some of these networks. Más información en: http://advertising.microsoft.com/espana/estudio-comscore-para-las-redes-sociales

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 33 of 143

Instituto Nacional de Tecnologías de la Comunicación

Before examining the concept of social network, it is necessary to differentiate traditional social networks from online social networks 14 . A social network primarily designates a form of interaction between people and / or communities of people. Here are some definitions of social networks: ”Forms of social interaction, which are defined primarily by the dynamic exchange between their subjects. Networks are open systems of individuals who can be identified by the similitude of their needs and problems. Networks, therefore, stand as a form of social organization that allows a group of people to enhance their resources and that contributes to solve their problems” 15 . “Networks are forms of social interaction, defined as a dynamic exchange between individuals, groups or institutions, involving similar individuals identified by their needs and issues and that are organized to leverage their resources” 16 . “On the overall, the concept of network is used to refer to two phenomena: networks are on one hand considered to be a set of interactions that occur spontaneously, and on the other, and this is the most interesting aspect, networks aim to organize these spontaneous interactions with a certain degree of formality, for the establishment of common interests, problems, questions, and goals” 17 . Given the importance of this phenomenon, the International Group on Data Protection in Telecommunications in Berlin agreed on the “Rome Memorandum 18 at its meeting of March 2008. “One of the challenges that can be observed is that most of the information published on social networks, is done under the initiative of users and based on their consent”. The Memorandum also analyzes the risk for privacy and security represented by social networks, and underlines that these ones do not provide “free services” since their users are paying through secondary uses of their profiles such as targeted marketing.

14

Although the concept of social network is used interchangeably to designate online social networks and traditional ones, this is an error that may cause a distortion of the subsequent analisis. We can say that social networks are online “services involving the creation of online communities of people who share interests, activities, and who learn from others” 15

From "Network. An approach to the concept. " Marta Rizo García, Autonomous University of Mexico City.

16

From the "Castilla y León 2.0. Towards the Information Collaboration. " 2008 edition

17

From the article "Networks. An approach to the concept” "by Marta Rizo García, Ph.D. in Communication from the Universidad Autonoma de Barcelona and professor-researcher of the Academy of Communication and Culture and of the Studies Center on the City the Universidad Autonoma de Mexico. Member of the Training Network on Communication Theory and Comunicología (REDECOM, Mexico) and the Network for Studies in Cyberculture and TIC (RECIBER, Mexico).

18

http://www.datenschutz-berlin.de/attachments/461/WP_social_network_services.pdf

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 34 of 143

Instituto Nacional de Tecnologías de la Comunicación

The European Network and Information Security Agency (ENISA) published in October 2007 some "Recommendations for the security of online” 19 social networks", addressed to th providers of social networks and to the organs that legislate in this field, that recommended to invest in the education of social network users and to promote a greater control while accessing the services. We can conclude from the above considerations that: "Social networks are online services provided through the Internet that allow their users to generate a profile where they can publish data and personal information; that provides tools to interact with other users; and that allows to locate them according to the characteristics published in their profiles” 2.1.4

Keys to success

The following aspects led to the success of this online phenomenon: The growth of these platforms is primarily based on the technique known as “word of mouth” or viral 20 process in which an initial number of participants invites their friends to join the website via mail. New members repeat the process, rapidly increasing the total amount of member. The

19

http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf

20

When talking about viral process regarding social networks, it refers to the ability of such networks to reach a maximum growth of users in the shortest time possible. This is a concept that is directly related to marketing

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 35 of 143

Instituto Nacional de Tecnologías de la Comunicación

Graph 2 illustrates this idea. In Spain, more than one-third of social network users (37.0%) has more than 50 contacts, 19.4% has from 51 to 100 contacts and 17.6% has more than 100. Only one-fifth (21.5%) has less than 10 contacts, which gives an idea of the level of dispersion and the rate of penetration of these services.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 36 of 143

Instituto Nacional de Tecnologías de la Comunicación

Graph 2: Number of contacts by social network users in Spain. October 2008

17.6%

21.5%

19.4%

41.5%

Menos de 10

De 10 a 50

De 51 a 100

Más de 100

Source: INTECO based on Zed Digital

Social networks offer various applications and features, including: automatic address book from email accounts, public profiles visible to all visitors, etc. These applications are based on three variables known as the "3Cs": o

Communication (sharing of knowledge).

o

Community (finding and integrating communities).

o

Cooperation (doing activities together).

Social networks focus on getting their members to use online media to convene events and actions that will have an impact on the offline world. Good examples of this are the "Shopping Social Networks," through which users can share their views, tastes and experiences about certain products and services and can arrange to shop in large groups in order to get discounts. This kind of network also allows users to receive recommendations for activities in their daily lives (recommendations for leisure, dining, etc.) according to the user preferences. 2.2

Typology of social networks

Social networks can be categorized according to their targeted public, or the kind of contents they publish. There are, at least, two main social network groups: generalist and professional.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 37 of 143

Instituto Nacional de Tecnologías de la Comunicación

Although each one has a certain number of specific aspects, both share common structural features: •

Their primary purpose is to allow people to make contacts and to interrelate. The platform makes it easy and quick to keep in touch with other users.



They allow interaction between all users of the platform, either by sharing information, allowing direct contact or by facilitating new contacts of interest.



Allow and encourage the ability for users to initially contact other ones through the online media, and eventually meet in the real world.



Allow unlimited contact between users, so that the concept of space and time becomes relative. Users are able to communicate with each other from anywhere at any time, provided that both parties agree to interact.



Promote the expansion of viral social networks, using this method as the principal way to increase the number of users.

The following pages define each one of the previous groups according to their targeted audience and the kind of contents they host. 2.2.1

Generalist and recreational social networks.

Such networks are characterized by their main objective that is the provision and the reinforcement of personal relationships between their users. The growth of these networks has been tremendous during the recent years. Some platforms such as Facebook have a daily entry of more than 120 million active users who are also creating their own contents 21 . According to some data 22 such networks replaced other media such as instant messaging that has been widely used during the recent years. This is largely due to the aspects that characterize generalist social networks: •

They offer a variety of applications and / or functionality that enables the users to spare themselves the trouble of using external communication tools by providing them a platform that integrates all the necessary applications on a single screen.



They offer and encourage people not to focus solely on how to operate online, but also

21

Data published in The Facebook Blog and in cnet news.

22

According to the latest study by the Pew Internet & Ameican Life Project called “Social Networking Websites and Teens: An Overview” by Amanda Lenhart & Mary Madden,55% of underage users who are connected to the Internet has created and frequently updated their user profile on at least one social network.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 38 of 143

Instituto Nacional de Tecnologías de la Comunicación

to organize their daily lives through the platform 23 . •

They provide users the code used to program 24 the platform, so they can develop their own applications, which are implemented within the social network, thereby increasing the usefulness of the platform and thus its diffusion.

A sub-classification of generalist social networks can be made, depending on their purpose or theme: Platform to exchange content and information Services such as Youtube, Dalealplay.com, Google Video, etc., are characterized by the providing of free and simple tools to exchange and publish digital contents (videos, photos, text, etc.) Strictly speaking, they cannot be considered as genuine social network, as they only allow the publication of contents that other users can view, limiting the interaction between users to the inclusion of comments related to the contents and to their ratings. However, although these platforms were originally independent from social networks, these ones currently allow to link contents and to advertise directly from the user profile 25 . Social Networks based on User’s Profiles. Networks such as Facebook, Tuenti, Wamba, Orkut, etc., are the most representative social networks used on the Internet 26 . The possibility for third parties to develop applications on these platforms and the easiness with which their users can interact with each other is making the use of traditional communication tools less useful. Such networks are often divided by topics, creating large communities of users with high levels of expertise on specific issues. They are becoming great sources of information and knowledge 27 .

23

A clear example of this is the social network www.salir.com where spanish users recommend places to visit in a given town or organize events.

24

A clear example of this practice is the OpenSocial platform, owned by Google, whose potential is really high. For more information please go to the following address http://code.google.com/apis/opensocial. 25

It should be noted that the vast majority of content exchange platforms like Youtube, or DevianArt Fotolog, are made available to users shortcut icons to the main social networks.

26

So determined by the study recently published by the newspaper Le Monde,“Réseaux sociaux: des audiences différentes selon les continents”. This report is clearly seen as the most visited social networks in every continent are the profile-based social networks such as MySpace, Facebook, Tuenti, Friendster, Netlog, Bebo.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 39 of 143

Instituto Nacional de Tecnologías de la Comunicación

Microblogging or Nanoblogging. Platforms such as Twitter or Yammer are services based on constantly updated users´ profiles through small text messages, not exceeding 160 characters. This allows to provide the other users clear, concise, simple and fast information on the activities, impressions, thoughts, publications being undertaken at that time. The updates are both displayed on the users ´profiles and the sites of the persons that want to follow them. Strictly speaking, these networks can not be considered as social networks because they do not involve an interaction between their users, limiting it to the sending of text messages or, at the most, to the use of photographs with comments, taking advantage of current mobile devices with cameras and Internet access. 2.2.2

Professional Social Networks.

Professional social networks are configured as new tools to help in establishing contacts with other users. Websites like LinkedIn or Xing constitute the second largest block of social networks. These platforms are created and designed with the purpose of making contacts and maintaining professional relationships. That is why the age is a determining factor while using these networks. As shown in

27

Examples of such platforms are Devianart (virtual exhibitions of photography) or Myartinfo.com (visual works) Moterus (bike routes in Spain and comparative bikes)

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 40 of 143

Instituto Nacional de Tecnologías de la Comunicación

Graph 3, children under 20 years are very few to use them. The number of affiliated users increases with the age. It is the contrary with recreational networks. These ones are divided between teen-oriented networks (Tuenti, Fotolog) and service-oriented network (Facebook).

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 41 of 143

Instituto Nacional de Tecnologías de la Comunicación

Graph 3: Penetration of Online Social Networks by Age Group in Spain. July 2008 (%) 35%

31%

33%

30% 25% 21%

21%

21%

19%

20%

18%

17%16%

13%

15%

12%

11% 10%

7%

6% 4%

5%

1%

4% 2%

2%

0%

3%

0% 14-20 years old

MySpace

Facebook

21-30 years old

Hi5

Tuenti

Fotolog

31-40 years old

Xing/Neurona

Linkedin

Source: INTECO based on Observatorio sobre la Evolución de las redes sociales (The cocktail analysis)

The main utilities for professional networks include: •

For the worker: the search for new employment opportunities or new business contacts. Allow users to contact other professionals through common acquaintances, helping to improve connections between people who in normal circumstances would not access to the other.



For the employer: their presence is more and more important because social networks represent a new source for identifying potential participants. They also provide further information on the participants thanks to the information published on their profiles.

Professional networks are booming 28 . They benefit the sector in many ways and are especially attractive because they do not only serve as a complement to the staff selection process but they also provide data of interest. They also allow: •

Personalized marketing actions.



Creation of Premium services.



Publication and promotion of contents.

28

During June and July 2007, Xing, a leading social network has acquired two of its main competitors: eConozco and Neurona. Now Xing gahters more than 500.000 unique users.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 42 of 143

Instituto Nacional de Tecnologías de la Comunicación



Sale of “Trusted user" bonds: a certification issued by the social network itself to ensure that the user is trusted and that his/her aims are not malicious 29 .

The use of premium services on these networks is particularly interesting because of the high number of participants that are ready to pay a monthly fee in order to access more advanced services 30 . 2.3

Value chain and business models

Another issue widely discussed and dealt with when it comes to social networks, in addition to the need for protection of personal data and privacy,, is their economic viability, ie whether they can become profitable business from an economic point of view. 2.3.1

Value chain of social networks.

As a preliminary step to analyze the business model of social networks, the different elements of the value chain should be apprehended: •

Internet Service Providers (ISP). Those entities are responsible for providing technologies (servers, connectivity, bandwidth, etc.) to social networks, ensuring that users can access the platforms. The selection of a suitable ISP can lead to the success or the failure of a social network project since the technological requirements are very high in terms of transfer of information. After having selected the ISP, the model to host the information has to be chosen. This hosting can be accomplished by the lease of a dedicated server (housing) 31 or by hosting a website (hosting) 32 , depending on the traffic of the online platform and its technological needs. The ISP are the most important technical elements of the value chain of social networks.



Social networks and collaborating platforms. While developing the strategy to create this kind of online platforms, it should be considered in advance the targeted

29

Netlog has launched a new way of monetizing social networks by issuing trust certificates for individuals www.netlog.com 30

"More than one million paying users clearly show that professionals appreciate the value of xing.com as a professional tool for everyday use and invest € 5.95 per month to access the advanced features of the platform." "The subscriber loyalty is one of the greatest architects of the profitability of this business, over 75% of users still pay for premium after 3 years of subscription." says Lars Hinrichs, Counselor CEO and founder of XING AG.

31

Example of housing.

32

Example of hosting.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 43 of 143

Instituto Nacional de Tecnologías de la Comunicación

public and the kind of tools that will be available. The development of the applications and the advertising systems should also be examined. •

Marketing and online advertising corporations. They are the organizations responsible for performing and managing advertising campaigns on the network. They help to maximize their benefits on the long term. They are one of the main elements taken into consideration while setting up the economical profitability of the networks.



Companies dedicated to the development of applications. Decide what kind of applications (API) will be developed as well as the kind of user’s profiles that will be offered.



Users. They are the main elements to monetize the platform. The more stable and recurring the users are, the higher the value of the platform will be. It is vital for all the parties involved in this value chain to increase that number. The reputation of the platform is crucial for the users (involved in the process of monetization) to continue using and recommending it.

The relationship between the various members of the value chain is described in the Graph 4. The value of social networks lies in the number of subscribers, their loyalty, the level of updates and the easiness to set up a system of economic exploitation. The development of applications is taking an increasing place in the value chain as well as the number of economical transactions it generates. Finally, and although it is still difficult to talk about a clear model of exploitation, it seems that the advertising and the “premium” services will be the first systems chosen for maximizing profitability.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 44 of 143

Instituto Nacional de Tecnologías de la Comunicación

Graph 4: Value chain of social networks

Source: INTECO

2.3.2

Business models.

Business models, actual and future, related to social networks will be analyzed in this section. Their effectiveness will also be highlighted. Current business model. The current business model of social networks is divided into the following phases: Phase I: Reaching a critical mass of users Following traditional business models, social networks intent to multiply the number and the loyalty of their users in order to secure their long-term sustainability and thus to maximize their profitability. Social networks are constantly looking for new users because these ones are exchanging information, documents, videos, images and experiences that, with an appropriate treatment, may offer the platform a way to manage a successful marketing campaign.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 45 of 143

Instituto Nacional de Tecnologías de la Comunicación

The success of social networks, collaborative websites and platforms had reached significant levels at the international level. Thus, although the sources are sometimes contradictory 33 , they all agreed on the growth of these advanced services online. Recent studies on the assessment and the analysis of Internet 34 traffic report that, within the 500 most visited websites in the world, at least 5 social networks are present 35 among the top twenty positions (Facebook, Myspace, Hi5, Orkut). The growth in the number of visits to the main social networks between June 2006 and June 2007 has been significant (Graph 5). Graph 5: Evolution of the Traffic (million) 120

114.1

100 80 66.4 60

52.2

40

28.2 14.1

20

18.1

24.7 14.9

24.1

18.2

13.6 6.7

13.2 1.5

0 MySpace

Facebook

june 2006

Hi5

Friendster

Orkut

Bebo

Tagged

june 2007

Source: INTECO based on Alexa Internet

North America and Latin America followed by Asia and Europe are the continents that are using the most social networks. The kind of networks that is being used varies by region. The Graph 6 shows that social network like Facebook and MySpace have received most of their visits from North America and Europe, while the social network Orkut have mostly received visitors from Latin America and Asia.

33

In this regard, it is important to note the absence of an organization that offers a comprehensive and impartial information and statistical analysis of the key aspects of social networks. These data remain in the hands of the social networks or the marketing and advertising consultants. 34

Alexa Internet Inc: Amazon Enterprise Group Company, one of the main reference for the assessment and the analysis of Internet traffic.

35

More information on http://www.alexa.com/site/ds/top_sites?ts_mode=global&lang=none. These statistics are important because the vast majority of advertising campaigns use these data to set their targets or find out new niches of buyers.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 46 of 143

Instituto Nacional de Tecnologías de la Comunicación

Graph 6: Geographical distribution of social networks in 2007 (%) 100 88.7

90 80 70

68.4 62.5

62.1

60 48.9

50

43.0

40 30

31.0 24.1

24.7 16.8

20 10

3.8

8.1 1.3

2.0

5.77.1

29.2 22.7 23.4

21.8

20.8

15.3

13.9 8.7

7.7 0.42.50.8

4.6 0.6

2.9

0.5

14.6 10.0

1.3

0 MySpace North America

Facebook

Hi5

Friendster

South America

Orkut Europe

Bebo Africa

Tagged Asia

Source: INTECO based on Alexa Internet

It can be concluded that despite the global nature of social networks, a certain "localism" has emerged considering the degree of popularity of social networks in different geographical areas. 7 out of 10 Internet users are under 35 36 years old: 36.5% between 15 and 24 years old and 32.5% between 25 and 34 years old. (Graph 7). Moreover, according to the latest figures from the National Institute of Statistics 37 , one third of underage people use social networks in Spain (29% are between 15 and 24 years) National and international 38 studies consider this group to be the main user of social networks.

36

The absence of data on the use of network by children under 15 years old, should not be understood as non-use of such services by this population.

37

Survey: Equipment and Use of TIC (October 2008)..

38

For example, 35% in the UK according to Ofcom ( "Social Networking" in April 2008) or even 55% in the U.S. according to the Pew Internet & American Life Project (Report “Social Networking Website and Teens: An Overview”). The data released by INTECO report that 36.5% of Spanish social network users are young people, between 15 and 24 years.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 47 of 143

Instituto Nacional de Tecnologías de la Comunicación

Graph 7: Segmentation by age of social networks users in Spain (June 2008) 40% 36.5% 35%

32.5%

30% 25% 21.0% 20% 15% 10%

7.9%

5%

2.2%

0% From 15 to 24

25-34

35-49

50-65

>65

Source: INTECO

Furthermore it appears that the use of social networks in Spain increases along with the level of education (Graph 8). Graph 8: Use of social networks in Spain by level of study (June 2008)

University's degree

28.7%

Medium level (Certificates of studies)

19.4%

First - Second level of Schoolarship

16.1%

Second - Third grade

14.1%

Primary studies

16.6%

0%

5%

10%

15%

20%

25%

30%

35%

Source: INTECO

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 48 of 143

Instituto Nacional de Tecnologías de la Comunicación

There are numerous national social networks such as Tuenti, whose success can be compared to global social networks such as MySpace, Hi5 and Facebook. It is not the case for other countries (Graph 9). Graph 9: Penetration of different Social Networks in Spain (July 2008) Myspace

19%

66%

15%

Hi5

13%

Facebook

13%

Tuenti

12%

4%

84%

Fotolog

11%

6%

83%

Xing/Neurona

72%

15%

79%

8%

90%

4% 6%

Linkedin

2%

1%

97%

Orkut

1%

2%

97%

Bebo

1%

Twitter

1% 0%

99% 2% 10%

20%

Account and regular use

97% 30%

40%

50%

60%

70%

Account and no use

80%

90%

100%

Without account

Source: INTECO from the Observatorio sobre la Evolución de las redes sociales (The cocktail analysis)

Thus, although the phenomenon of social networking is quite new in Spain with respect to other countries, a steady growth has been observed since 2007, to the extent that these platforms now occupy the place of other traditional tools and media to disseminate messages 39. The media and users interest for this phenomenon has helped national networks such as Wamba, Moterus or PatataBrava to grow significantly in Spain. As a conclusion, we can say that during this first phase, the main effort being made by social networks and websites is focused on collaborative actions to increase the number of members as well as on the ways to ensure active and continuing participation so that these are constantly updated.

39

An example of the influence that social networks have on society is the campain monitored by the Spanish public Radio&Television and the Spanish YouTube. They create a microsite called “Elecciones ‘08”(Elections 2008). This site was addressed to the presidential candidates of the Government of Spain for the elections of 2008. Voters, via videos, asked them questions on the issues they were most concerned about. The purpose of this whole campaign was to bring voters and candidates together in order to exchange contents, raise questions and situations that, after being selected, the candidates, without being prepared, had to answer with the utmost sincerity.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 49 of 143

Instituto Nacional de Tecnologías de la Comunicación

Phase II: Monetization of online social network When a social network has a sufficient number of users and updated profiles, the platform reaches a second phase in which the exploitation and monetization can begin. Debates are currently occurring among the industry about the most profitable operating models for such networks. The Graph 10 reflects the economical variables of the business model by which the exploitation and monetization of social networks is being made: •

Advertising: It can be based on the behavior of the users within the platform (main source of income)



Premium: the platform has two kinds of contents. In order to obtain a more complete, more advanced profile or to use more applications, the users must subscribe to options that are subject to charges.



Donations: the users, by themselves, make donations through instruments like PayPal 40 for the maintenance of the platform.



40

Payment for use: when the user wants to access certain tools, he will have to pay for their use, through SMS messages or PayPal services.

PayPal is a company pertaining to the sector of the electronic commerce by Internet that allows the

transference of money between users who have e-mail, an alternative to the traditional method like checks or money orders. PayPal also processes requests of payment in electronic commerce and other services Webs, by which it invoices a percentage. Most of her customer comes from the site of auctions in line eBay.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 50 of 143

Instituto Nacional de Tecnologías de la Comunicación

Graph 10: Monetization of social networks and Web 2.0 (Sept 2008)

86%

Advertisement Annual or mensual subscriptions

26%

17%

Product sale

12%

Pay for users

10%

Donations

7%

Pay per use

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Source: INTECO based on Multiplica.com

However, these ways to monetize social network are not sufficient to guarantee long-term stability. For this reason, even if the value of Facebook is estimated to be around 15.000 billion dollars 41 , the investments of large corporations and venture capitals are the only ones that can maintain the economic infrastructure of the social networks. Business owners are looking for new ways to make social networks profitable, and to maximize the return on investment for the development and the management of these platforms. Among the most significant change is the possibility for users to collaborate on the development, the expansion and the improvement of the platform, thanks to the API (application programming interface ") issued by the network in question. This collaborative work both benefits the users and the platform 42 . Among the most important benefits 43 :

41

It is undeniable that the true interests of large corporations and Internet devoted to communication, are for social networking and collaborative platforms as shown in the titanic struggle being carried out by Facebook in the years since 2006 and even attempt to buy Yahoo that, in 2008, Microsoft acquired a 1.6% of their shareholding, to raise the value of Facebook to 15,000 million dollars. 42

For example, in the case of Second Life or World of Warcraft - online game, have come to auction through eBay to purchase items or money belonging to the online world and have nothing to do with the real world.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 51 of 143

Instituto Nacional de Tecnologías de la Comunicación



No upfront costs of production.



Setting up ad-hoc social network: it is the users who are making up the platform as they like and who are developing useful applications for the development of their digital identity.



Full involvement of the users in their social network: the users identify themselves with the platform they belong to. The platforms help them to build their personal image.



Ensures the interoperability between different platforms, allowing the users to update only one of their profiles. The others update automatically.

In addition to the collaborative work of the users of the platforms, another variable that characterizes the change in the current business model of social networks is the potential of their applications. One example is "Gift" (gift) from Facebook, which allows users to make gifts to other members for a monetary amount that is collected by the company that owns the platform. This application generates 44 around $15 million a year according to the independent consultant Lightspeed Venture Partners. The Graph 11 collects the daily income of other applications.

43

This model was recently introduced by Google, through its OpenSocial platform, based primarily on the availability of the entire community of Internet users of the open source platform through its API. In this model, the community is fully developed the platform to model and its similarity, providing all the needs, as users, considered essential for the proper functioning of the application. This strategic move, born from the alliance 43 43 43 43 43 43 between the world's leading social networks(Orkut , Bebo , Engage.com , Friendster , Hi5 , imeem , LinkedIn, Ning, Plaxo, Six Apart, Tianji, Viadeo y Xing), as a means to achieve the definition of common tools to develop applications that serve all social networks, ie for the development of interoperable applications between different platforms. This is a line parallel to that followed in the field of consumer software, where increasingly, the collaboration of community development and open programming languages (Free Software), have been established in the personal computers of users. With OpenSocial, is designed to help software developers and social networking applications to transform their ideas into economic returns. Thus, in November 2007 announced the launch of this platform is directed at first only to software developers (with the intention of Google to become the standard for developers of applications for social networks). In the first moments, and as was expected, following the launch of OpenSocial is the first discovered security flaws, suffering his first cracking the November 5, 2007, causing serious damage to the social network owned by Google, Orkut, single network that operated at that time OpenSocial. After the first initial errors, on the other hand, logical and obvious, given the complexity of development, OpenSocial is currently described as an alternative to Facebook. 44

More information about this company in http://lsvp.wordpress.com/about/.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 52 of 143

Instituto Nacional de Tecnologías de la Comunicación

Graph 11: Earnings per day of the Facebook applications (in thousands dollars)

Mob Wars

22.5

Bumper Sticker

18.2

PackRat

13.3

Pieces of Flair

8.5

FunWall

8.4

0

5

10

15

20

25

Source: INTECO based on developerAnalitycs.com (August 2008)

Future business models and strategies of social networks The future model of the business will be based on the collaboration between the platforms and their users. They will provide new services able to produce economical benefits related to the number of users who use them. The main challenge is for social networks to get a revenue growth proportional to the number of their users. In this sense, the main tendencies are enumerated next that have been considered during the phase of investigation of the Study like valid alternatives for the construction of the future model of business of the social networks and collaborative Web sites, considering beforehand that, by analogy, will be to them of application the tendencies anticipated for Web 2.0 45 like advanced and integrated services in this one. Growth of online advertising and marketing The Graph 12 shows the market forecast for the U.S. B2B 46 advertising in social networks, for 2008, which will be $ 40 million, rising to $ 210 million in 2012.

45

The Web 2.0 and its models of business. Comparative study on the sources re-entry and the models of

business of 100 more important Webs 2.0 (multiplicax). 46

Abstraction of Business to Business that means between companies.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 53 of 143

Instituto Nacional de Tecnologías de la Comunicación

Graph 12: Forecast sales of online B2B advertising, between 2007 and 2012 in million U.S. dollars 250 210 200 165 150 125 100

80

40

50 15 0 2007

2008

2009

2010

2011

2012

Source: INTECO based on E-Market

Collaborative platforms and social networks will collaborate actively in the campaigns of the agencies hosted in their interactive websites. Advertisements or banners will be replaced by new advertising applications encouraging the users to interact with them more actively and effectively. Their potential will be enhanced through: •

The analysis of users ´behaviors, identifying market sub-segments based on the needs and preferences of the customers.



The creation of internal markets in which online users can actively participate.



The advertising and promotional exploitation of the profiles of users through commercial agreements with foreign brands and companies.

Based on this business model, the possibility of monetizing a social network is determined by the existence and the consolidation of the following aspects: •

The ability to analyze the needs and preferences of its users.



The ability to offer new services.



The ability to increase the number of loyal and active members involved in the social network.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 54 of 143

Instituto Nacional de Tecnologías de la Comunicación

Supply of new segmented applications run by social networks. Increase in the supply and the development of new segmented applications and functionalities. Increased level of users. Many websites (such as MySpace, Facebook, Xing or any other detected social networks or collaborative platforms) are key elements of the "Culture 2.0." They seek to attract the largest number of users possible in order to maximize the ratio of monetization ( "a larger number of visitors = a higher value of the platform”). Enhance and capitalize collective knowledge. Use collective knowledge to customize contents and make them more appropriate for the users 47 . Responding to the tastes, needs and preferences of the user, the social network will address a series of personalized messages, known as contextualized messages, depending on his kind of navigation. Mobile technologies are emerging as a new channel to access social networks. The Web 2.0, and by analogy, social networks and platforms, bet on the success of mobile technologies and the spread of wireless Internet connectivity to increase the number of accesses and updates of user profiles. Interoperability of social networks. Enhancing and developing tools that enable the users to be free from local applications (installed on their computers) to communicate with their contacts, by making these communications possible directly through the social network. This kind of application will be designed and developed by the users of the network, using programming languages that can be run on other platforms, in order to ensure that social networks are interoperable with each other 48 .. Geopositioning and multimedia devices. Furthermore, according to a recent study "Spain 2008", published by the Foundation Orange, the development of mobile connection systems (3G and 4G), as well as the emergence of new mobile devices that integrates multimedia utilities, will allow the users of social networks to access and update their profiles from anywhere in the world with a simple Internet connection. According to a recent study published by ABI Research (01/08/2008), mobile technologies, social networks, and multimedia platforms, will benefit from a 3.3 trillion dollars profit by 2013 49 ..

47

Example of this logic was applied by the Amazon website to recommend books to other users.

48

Example of this trend is the platform created by Google,Open Social.

49

Fore more information visit the website of ABI Research.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 55 of 143

Instituto Nacional de Tecnologías de la Comunicación

IT security solutions. IT security solutions to protect the users of social networks are seen as another source of potential business opportunities. New software have been developed to ensure the security of social networks and to protect the privacy and personal data of their users, particularly underage ones 50 . Graph 13: Growth model of social Networks

Source: INTECO

50

More information: White paper on digital content in Spain 2008 . Red.es

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 56 of 143

Instituto Nacional de Tecnologías de la Comunicación

2.4

Risks implied by the use of social networks

Social networks offer multiple functionalities. Among them, the most used, as shown in the Graph 14, are the sharing and the uploading of photos (used by 70.9% of users), followed by the sending of private messages with 62.1%. Graph 14: Uses of social networks by Spanish users (%). October 2008. Share or upload photos

70.9

Send private messages

62.1

Comment on photos of friends

55.0

Update profile

52.1

Send public messages

50.2 46.2

Gossip Tag friends in photos

34.8

Get information about their interests

25.0

Download applications

19.3 9.5

Download game/Find friends Job search/recommend professionals

8.5 0

10

20

30

40

50

60

70

80

Source: INTECO from Zed Digital

However, despite the opportunities and benefits represented by these features, it should be noted that such platforms are not free from risks, as explained below. General social networks are exposed to a higher level of risk than professional social networks, since their users do not only publish personal information (studies, professional experiences), but also do so with their tastes, ideology or experiences, which means that the number of personal data available to the public is more extended than in professional social networks. The risk for data protection and privacy is very important. Among the main situations of risk: •

The users of social networks are not aware that their personal data will be accessible by anyone and might be exploited for commercial purposes. In many cases, they are making public personal data that they will never have exposed in their daily life such as ideology, religion and sexual orientation, etc.



Personal data can be used illegally by ill-intentioned users.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 57 of 143

Instituto Nacional de Tecnologías de la Comunicación



The possibility to publish false or unauthorized information may generate new legal issues 51 .



While registering the users give full and unlimited rights on all published contents to the hosting platform, so they can be economically exploited 52 .

Therefore, despite the fact that social networks have a multitude of benefits, their users should not ignore the fact that they are public tools that offer access to everyone. The majority of social network users are neglecting the privacy of their profiles. The recent study "Social Networks: Quantitative and qualitative analysis on users habits, customs and activities" published by Ofcom (Office of Communications) stated that almost half of social networks users (43%) haven’t restricted the access to their profile (Graph 15). Graph 15: Privacy settings (October-December 2007) 60% 48% 50% 43% 40%

30%

20%

10%

6% 3%

0% The profile can only be seen by friends

The profile can be seen by anyone

The profile cannot be seen

The user doesn't know

Source: INTECO from Ofcom. Office of Communications

When it comes to underage users, the risks represented by ill-intentioned uses of their profile are even higher. Using social networks is becoming a common activity for young people and is taking part in their social development. Social networks bring great benefits to children, offering them

51

More information about Phishing : http://www.legaltoday.com/index.php/actualidad/noticias/phishing-unaalarma-constante. 52

One of the most important controversy occurred in 2006 with the band "Arctic Monkeys", which was on the verge of losing the rights to their own songs, for having been hosted by a social network in its early stages.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 58 of 143

Instituto Nacional de Tecnologías de la Comunicación

access to a new medium for communication and social interactions, allowing them to maintain direct contact with their friends and acquaintances and to create a new form of digital identity 53 . However, as underlined in the study "Social Networks: Quantitative and qualitative analysis on user´s habits, customs and activities" published by Ofcom (Office of Communications), underage users, despite having some notions on security, neglect certain of its aspects and sometimes do not give enough importance to their personal data. Chapter 3 of the studies analyzes the specificities of the Spanish law regarding particularly vulnerable groups. The data presented in this study are sufficient to realize that the growth of social networks in the past few years has been unstoppable. So far it has been positive, without large or numerous cases meaning a danger for the users. However, the risks are evident and increasingly frequent in this kind of platforms. While the number of users of social networks increases, the examples in which their data are used for illegitimate purposes, and users are victims of fraud or even kidnapping and similar crimes are increasing. Recently, the company ScanSafe, a web security consultancy, has published a study 54 revealing after analyzing more than five billion page requests in July 2006, that more than 600 websites considered as social network included some kind of malicious codes (malware). Most of the malware are spyware and adware (usually pop-up windows) that are being attached to internal applications that are executed inside users´ browsers. The identified spyware and adware aree attached to benign programs, but they seriously affect the user, for example, redirecting his/her browser. Their elimination often represents a difficult task. Most of the social networks that contained this kind of “malware” were considered to be general or recreational. Professional social networks haven’t suffered yet from the presence of these “malware”. 53

According to Evolucy Technology Consulting SL (www.evolucy.com), a company specialized in usabilty, "by definition, identity is one set of features characterizing an individual in front of the others. The verification of these features is what enables us to determine if an individual is who he claims to be. Some of these features are characteristic of the individual, others are acquired over time. Of course, not all features are equally significant. There are features that are visible to the naked eye, while others are hidden and need a certain knowledge and sometimes tools to verify them. The set of features that characterize an individual or a group in a digital media is known as Digital Identity”. 54

More information in: http://www.scansafe.com/.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 59 of 143

Instituto Nacional de Tecnologías de la Comunicación

From a practical point of view it seems logical that the main objectives of the cybercriminals are general or recreational social networks, as they have a higher number of users than the professional networks 55 . Potential risks associated with professional social networks are the ones associated to the protection of personal data published by the users, which can encourage the proliferation of so-called "contact collectors" or "social spammers”, dedicated to collect contacts on social networks, for no other purpose than to appear socially successful. A priori, his kind of behavior may not seem harmful. However it raised a serious problem for one of the largest worldwide professional social network (LinkedIn). As a result, the owner of the platform had to change the way for users to interact, obliging the ones that want to contact others members to have previously recognized the existence of a relationship of mutual trust 56 , which was not initially a requirement.

55

According to official information published by Facebook, the current number of users reaches 110 million, while the professional social network Xing only reaches 500,000 users. 56

More information in: http://www.ejournal.unam.mx/rms/2005-1/RMS005000104.pdf

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 60 of 143

Instituto Nacional de Tecnologías de la Comunicación

3

ANALYSIS OF THE MOST IMPORTANT ASPECTS AND SPECIFIC PROBLEMS OF SOCIAL NETWORKS

The current trend on the Internet is now to focus on the user- through forums, blogs, wikis and social networks- in other words, all those utilities and services that are based on a database that the users may change while processing the contents (adding, changing or deleting information). But the notoriety of these social spaces is not free from risks of potential ill-intentioned attacks. The importance of the article 18.4 of the Spanish Constitution should be underlined in this regard. It regulates the informatics uses that could have an influence on the basic rights to the persons. A great effort has been made in this sense by both the Spanish and the European legislations, with the approval of the Collective Agreement 108/1981 by the Council of Europe, with the rules drafted by the European Communities in matters of data protection, information society or intellectual property, and with the Spanish rules that develop and define a regulatory basis for the users´ protection on the Web 2,0 and social networks. This chapter will analyze the most relevant issues related to social networks and collaborative websites, in order for their users to have enough information about their rights and obligations. The selected criteria for the analysis were the followings: •

The protection of right to honor, personal and family privacy and image.



The secret of communications.



The personal data protection.



The protection of literary, artistic, scientific and technological creations by intellectual property rights.



The protection of consumers and users.

The analysis of these rights will follow the following structure: •

Definition of the right



Legal frame: applicable regulation and evolution.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 61 of 143

Instituto Nacional de Tecnologías de la Comunicación

o

International regulation 57 .

o

European regulation.

o

National regulation.



The possible risk the rights could be subject to.



Most vulnerable groups: underage and legally incapacitated users.



Others: Workers.



Measures to safeguard these rights

3.1

Protection of the right to honor, personal and family privacy and image.

The article 18 of the Spanish Constitution protects the personal sphere of the individuals, by guaranteeing their privacy and by giving them the right to exercise a control over the treatment of their personal information. We can found in this article certain classical rights to the persons, - rights to honor, personal and family privacy and image,some others referring to specific fields–inviolability of the domicile and secret of communications-, and one right of the Third Generation defined by the Constitutional Court as the fundamental right for data protection. The technologies of information do no only affect the third right but also the two first categories. The main rights established by the article 18 SC, are not absolute: they could be limited by other relevant rights/assets when the conditions defined by the Constitution are reunited. In case of conflict, the core values of the article will be respected and other measures will be taken to adapt to the situation. These rights have been developed in the civil and criminal field, through very diverse laws -as the Organic Law 15/1999, of December 13th, on the Personal Data Protection-, forming a complex normative structure. In this way, the labor is just to consider the content and existent services in social networks to make the question of how these regulations are projected over them and in the users’ activities. 3.1.1

Definition of the right

The definition of the asset protected in the article 18 SC results particularly complicated because of their structural complexity and because of the influence of the uses made of new technologies. In this sense and for purely pedagogic reasons, it must be told that the 57

Within the study of international legislation will also include U.S. regulations. In the largest social networks most users are nationalized in the United States. Furthermore since the attacks of September 11, its legislation is focusing on communication via the Internet and in the defense of children.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 62 of 143

Instituto Nacional de Tecnologías de la Comunicación

article 18 SC intends to protect the private life, as well as the dignity and the freedom of the human being 58 . These rights are categorized as rights to the person, and their ownership, -with some exceptions-, can only be attributed to physical persons. They can not be waived, nor transferred, nor subject to a period of limitations in order to be exercised before a court, nor subject to seizure, and they are inalienable. Private life is regulated by different rights. The Article 18.1 SC provides the rights to honor, personal and family privacy and image. The Court has emphasized that, although these rights have the same goal, they should be considered separately but should be deeply intertwined 59 . The link between these rights, even the secrecy of communications and the fundamental right to data protection, is the use of personal information. This fact does not necessarily mean that they cannot be analyzed independently. The right to honor protects the public image, name and reputation of a person –in a public context-, to make other people respect completely the life of a person. This right goes beyond the death of the person, and is granted by the law protecting the successors. The right that protects the image of the individual gives to every person the ability to exercise control over the recording, use and spreading of their image, because all these actions are considered as graphic representations of the human voice and face. When the Constitutional Court was dealing with the right that protects the image, it not only considered its concrete aspects: the power to consent for the publication or spreading of images that reproduce the human face, it went beyond, referring to the information that those images or sounds reveal that have a direct relation with the intrusions of privacy. The right to privacy was understood, initially, by the doctrine and jurisprudence, as a well-ordered protection for the most internal and reserved spheres of people. Later jurisprudence and social developments have considered the right to privacy to have a broader content and a lot of manifestations. In this sense, the relationship between the intimacy and the image, the conflicts that occur in case of exercising the right to information and freedom of speech, the evidence in criminal matters, the protection of

58

“Along with the value of human life and substantially related to its moral dimension, our Constitution has raised fundamental legal value to the dignity of the persons, without prejudice to the rights which are inherent to, is intimately linked with the free development of personality (art. 10) and the rights to physical and moral integrity (art. 15), freedom of ideas and beliefs (art. 16), honor, personal and family privacy and Image (art. 18.1). The meaning of these precepts can be deduced that dignity is a moral and spiritual values inherent to the person which manifests in the self-conscious and responsible for his own life and that brings respect from others. " (STC No. 53/1985 FJ 8). 59

“The right to image, in art. 18. 1 CE along with rights to privacy and family honor, help to preserve the dignity of the person (art. 10. 1 CE), and safeguard” their own personal reserve, against encroachments of others. Only acquires its full meaning when it comes under the protection of "an area reserved for itself and against the action and knowledge of others”, along the lines needed in our culture, to maintain a minimum quality of life" (STC 99/1994).

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 63 of 143

Instituto Nacional de Tecnologías de la Comunicación

health and genetic research, and the protection of the family dimension have extended the scope of this right. Finally, the Constitutional Court has given autonomy to the fundamental right to data protection that is covered in a specific section of this study, configuring it as a right, but with an instrumental relationship with the rights of the first paragraph of the Article 18 of the SC, even though it has an own constitutional configuration and definition. Finally, although this study does not go deep into this subject, it should be noted that the protection of constitutional privacy is projected by two other rights. First, we must have to refer to the domicile inviolability. According to the Constitutional Court " this right does not only protect the physical space, which by itself is considered, but this right also covers the emanations of the individual and private sphere of the person. Interpreted, in this sense, the rule of inviolability of the domicile has an extensive content and imposes a broad range of guarantees and powers, which include the power to ban all kinds of invasions including those that may be made without penetration through mechanical, electronic or other similar materials. The second rule establishes a condition for the entrance and registration of it, which is that the owner have to consent or it has to be ordered by a court decision" 60 . It should be noted therefore, that a physical penetration into the domicile is not required and that this principle should be directly related to the world of Internet because of the presence of thousands of webcams or video recordings in the personal domiciles that could hurt this right. The latest manifestation of privacy, based on constitutional protection, is the secrecy of communications. It protects both, the fact of communicating and the contents of the communications. Thus, "in a narrow sense, the law may be violated both by the interception (which would support the physical apprehension of the message or by any other form) as of for the simple unlawful knowledge of communications (for example, the external opening of the correspondence stored by the recipient)” 61 . The secret defined by the Article 18.3 SC has a “formal” “sense in what was previously preached, whatever if their content is, or not, subject to personal, intimate or reserved communication", and stipulates "the irrefutable presumption that what is communicated" is 60

STC 22/84. FJ 5. Any position that strongly reaffirms the legal basis of the fifth STC 50/1995 states:

"The residence, as it is defined by law (art. 40 CC), limit the space where the person live without necessarily being subject to customs and social conventions, (STC 82/1984) and therefore, their protection is an instrument for the defense of the private area. There is an indissoluble link of such sacredness of the headquarters of the existential, which ban any intrusion, and in particular the entry and the privacy, which is otherwise in the precept that the other (art. 18.1 and 2 EC). As well, STC 133/1995. 61

STC 114/1984.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 64 of 143

Instituto Nacional de Tecnologías de la Comunicación

“secret” "in a substantial sense." However, secrecy of communications is not projected over the interlocutors over the ones who may be responsible of the obligation of not to disclose anything, under the penalty of violating the privacy rights to any of them. Another important detail of the doctrine of the Constitutional Court is the idea that when this topic is touched, the privacy of communications will not prejudice the specific technological medium used. The Supreme Court has completed this case in the jurisprudences SSTC 70/2002 and 123/2002. Both provide a technologically update which protects against interferences in any kind of communication "regardless of the transmission technique used and whathever is the content of the message" conversations, information, data, images, votes, etc." Therefore, secrecy in communications will be projected on all the services of social networks that provide communications, such as those based on private messaging tools. Giving an efficient protection of these rights in the field of social networks, and generally in the Information Society, entails the need to reinterpret, adapt and strengthen the concept of protection, because social networks encourage users to publish personal information and in many cases, information that corresponds to intimate areas as: personal ideology, sexual orientation, religious beliefs, etc. 3.1.2

Applicable Law

Following hereafter is the normative analysis and thelegislative developments of the right to honor, personal and family privacy and image, with special emphasis on the protection of this right on the Internet and the services associated with it. To provide a complete overview of this situation, these rights are going to be analyzed in an international, European and national view. International regulations The protection of these rights is not restricted for certain states, but is recognized by the main part of the international community, and are specifically protected by national constitutions and laws of many countries. The Declaration of Human Rights of 1948 establishes the first source of norms regarding these rights, stating that: "No one shall be subjected to arbitrary interferences in his privacy, family, domicile or correspondence, nor attacks on his honor and reputation. Everyone is entitled to the protection of the law against such interference or attacks." Similarly, but specifically for minors, the International Covenant of Civil and Political Rights of 1966 and the International Covenant of Economic, Social and Cultural

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 65 of 143

Instituto Nacional de Tecnologías de la Comunicación

Rights of 1966 give the right to all children to have a greater degree of protection, because of their particular characteristics. This normative protection for minors is expressly stated in the document adopted by the Convention of the Children Rights of 1989, which states: "no child shall be subjected to an arbitrary or unlawful interference in his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation. The child is entitled to the protection of the law against such interference." European Regulation First, it must referred to the Rome Convention of 1950 (ECHR) 62 that can be cited as the first European text that enshrines the protection of privacy and also, the Common Agreement 108 of the Council of Europe that defines the legal context of privacy protection, in relation to information and communications technologies. The International Convention of 1950 has also been particularly effective in the field of human rights protection in those States who have agreed to be bounded by its terms. The importance of the Convention, for national legal systems, derives from its dual nature as a rule incorporated into the Spanish law by the Article 96 of the Spanish Constitution and as a criterion for the interpretation of fundamental rights with the provisions of the Article 10.2 of the Constitution. This dual nature has effects on the judgments issued by the European Court of Human Rights that implements the Convention. It produces legal effects in domestic laws and has been inspiring the work of the Constitutional Court in the interpretation of fundamental rights. At the EU level, the provisions of the Charter of Fundamental Rights to the European Union (2000 / C 364/01) 63 stipulates that "Everyone has the right to the respect of their private and family life, home and communications”. Similarly, in the European Charter on the Rights for the Child (A3-0172/92 European Parliament resolution of 8 July 1992) has stated that "Every child has the right to be free from unwarranted intrusions by third parties in his private life, family, and not to suffer 62

The Rome Convention of 1950 regulates the right to privacy in Article 8 as follows:

Right to respect for private and family life 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right, but as long as this interference is provided for by law and is necessary in a democratic society, is necessary for national security, public security, economic welfare of the country, the defense of order and crime prevention, protection of health or morals or the protection of the rights and freedoms of others. Rome Convention of 4 November 1950 for the Protection of Human Rights and Fundamental Freedoms. Instrument of Ratification of 26 September 1979. 63

Published in Diario Oficial de las Comunidades Europeas on december 18th of 2000.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 66 of 143

Instituto Nacional de Tecnologías de la Comunicación

unlawful attacks that affects his honor, recognizing the right and also protecting their image”. It should be noted that EU rules do not usually relate to privacy or the right to privacy, but many other rules use the term “privacy” when dealing with personal data (see section 3.2.1). United States of America In the U.S. the protection of privacy in the legislation is a complex interpretation of the Supreme Court’s work that, after nearly half a century, has reached to the constitutional recognition of the right to privacy. And it was by deducting it from “the shadows and dark shadows" of various amendments of the Constitution. The U.S. Constitution does not expressly recognize the right to privacy. This one was built by the Supreme Court from rights explicitly recognized in the Constitution, and by their combination with what was deduced from the "dark shadows" of the constitutional percepts. Specifically, the Supreme Court has come to the fact that the U.S. Constitution does not contain a closed list of rights but, the Ninth Amendment stands with an open clause for the incorporation of new rights and states that "the Constitution lists certain rights”,“which does not means that this deny or disparage other rights granted to the people". Moreover, the Fourteenth Amendment has provided the Court a procedural argument to consider cases related to privacy, which gives citizens the right not to be deprived of life, liberty or their properties without due process of law”. Thus, the Due Process Clause acts as a clause guaranteeing the freedom of citizens against the powers of the State. These two specific clauses related to specific rights –the freedom of speech and people's participation in the First Amendment, that limits the military use of private houses during peacetime, and in the Third and Fourth Amendment, the protection of the domicile- have been used to infer privacy as a Constitutional right. It should be noted that is not easy to analyze in a legal mode the regulation of privacy in the U.S., because of the U.S. have a federal State 64 .

64

They can be mentioned, in a nonexhaustive list, among others: Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 (1970). Privacy Act, 5 U.S.C. § 552 (1974). The Freedom of Information Act (FOIA), 5 U.S.C. § 552 (1974). Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g et seq. (1974). Right to Financial Privacy Act, 12 U.S.C. § 3401 et seq. (1978). Privacy Protection Act, 42 U.S.C. § 2000aa et seq. (1980). Cable Communications Policy Act 47 U.S.C. § 551 et seq. (1980). Electronic Communications Privacy Act (ECPA), 18 USC §§ 2701-11 (1986). Video Privacy Protection Act, 18 U.S.C. § 2710 (1988). Employee Polygraph Protection Act, 29 U.S.C. § 2001 et seq. (1988). Telephone Consumer Protection Act, 47 U.S.C. § 227 (1991). Driver's Privacy Protection Act, 18 U.S.C. §§ 2721-2725 (1994). Telecommunications Act, 47 U.S.C. §222 (1996). Electronic Freedom of Information Act Amendments of 1996, Public Law No. 104-231, 110 Stat. 3048 (1996). Financial Modernization Services Act ,Public Law 106-102, Gramm-Leach-Billey Act of 1999. Department of Transportation and Related Agencies Appropriations Act of 2000 § 350, Pub. L. No. 106-69; 113 Stat. 986 (1999). Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USAPA), H.R. 3162, (2001) o USA Patriot Act. Pen/trap Statute 18 USC §§ 3121- 27 (2002). Wiretap Statute, 18 USC §§ 2510-22, (2002).

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 67 of 143

Instituto Nacional de Tecnologías de la Comunicación

Similar regulations are responsible for ensuring the protection of privacy of users in specific situations. In this regard are included 2 main rules: •

Telecommunications Act 1996 (adopted on June 13, 1996). This rule explicitly governs all aspects of the Internet dealing with violent content and/or pornography that may damage ethics and morals of the people, establishing the protection for the ISP (Internet Service Providers), regarding the contents published by third parties.



Children's Online Privacy Protection Act 1998, which contains the specific regulations regarding acts designed to obtain information or deceive children when they are navigating on the web.

In terms of privacy, it is necessary to consider the "USA Patriot Act” (UPA) adopted on October 24, 2001. This rule is a clear limitation of the right to personal and family privacy and the confidentiality of communication, for any person in the United States, since the Federal Government has the full power to tap any kind of communication, internal or external, e-mail, telephone conversations, either text or voice messages, web browsing history, as well as consultations on Internet search engines. This intends to increase the security of the State against the organized crime and terrorism. Spanish Laws A national policy of recognition of the right to honor, personal and family privacy and image is enshrined in the Article 18.1 SC. Subsequently, by the Act 1/1982 of May 5, Protection of the Civil Right to honor, personal and family privacy and image, the Spanish legislation develops this fundamental right, with a specific protection in civil matters. The Criminal Law provides specific regulation in crimes that involves the violation of the rights to honor, privacy and image, regardless of the means by which they are committed. Under the point of view of the secrecy of communications and the fundamental right to data protection, this rule is combined with the publication of the Law 25/2007, Conservation of Information related to electronic communications and public communications networks that states the obligation for the operators to provide electronic communications services available to the public or for those who operates public communications networks, to retain traffic data generated by users via their phones or devices connected to the Internet, as well as the duty to transfer such data to agents empowered through a required judicial authorization, for purposes of detection, investigation and prosecution of serious crimes under the Criminal Law or specific related laws. Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 68 of 143

Instituto Nacional de Tecnologías de la Comunicación

3.1.3 Possible risks. How could the right to honor, privacy and image be affected in a Social Network? As noted in the beginning of this chapter, social networks and collaborative websites, are not free from danger of malicious attacks. Some situations may arise that threaten the integrity of the rights to honor, personal and family privacy and image of their users. Thanks to the previous analysis and the interviews conducted in the sector, we are going to show situations that can damage the integrity of the users’ rights. This analysis starts at the moment the user is logged in the social network, and ends at the time the service is cancelled. Thus, the first critical point is the user registration and profile settings process, since this is the phase in which the user must assess what is going to be published on his/her profile and the level of publicity that this information is going to have. This point is very important and must be taken care of by the users; it will be essential for the subsequent protection of their privacy and the one of all the members of their network. In this initial stage, the right to personal and family is only affected when personal data are provided. It is affected if the service offers to the users the ability to make decisions about their environment, (for example, if the profile could be configured as a public or as a restricted space), then by how the user uses his/her profile, it could affect the honor on his/her personal images or the one of persons to whom he/she refers to. Thus, a possible risk that may arise is that the user does not properly set the profile privacy level at the time of the registration, either through ignorance or because the social network does not have these settings. A proper configuration of the profile privacy is essential; since often what is enabled by default on the platform allows the maximum degree of visibility. Therefore, an incorrect configuration or setup can affect not only to the contents that had been published by the user, but also to all other users who have published or shared information, since it will be accessible for the other members of the platform. The routine of the users in the platform is the second moment when the right to privacy and image may be violated, depending on the kind of activities that the users perform. They could undermine the protection of these rights by the publication of intimate information in the platform. Any user could control the content that he/she wants to be published, but the implications of this action are not correctly appreciated. Furthermore, the control of the information in a social network is limited because any person on it could publish pictures, videos, reviews, images or labels with the name of other users.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 69 of 143

Instituto Nacional de Tecnologías de la Comunicación

Furthermore, it should be noted that the amount of information, data and images that can be published could be excessive and impact on the personal and third parties ´privacy. •

Personal privacy: even if the users are those who voluntarily publish their data, these platforms possess powerful tools for exchanging information, processing capacity and analysis of information provided.



Third parties´ privacy: it is essential that users keep in mind that the upload of information and data of third parties could not be done, unless they have expressly authorized agree to it so the third parties could request immediately its removal.

It is important to note that in most cases, social networks allow to search engines to index the user profiles, along with the contact information and profiles of related friends, which could be another risk for the protection of privacy. It may also hinder the removal of their information on the Internet. Another risk that may occur while surfing on the social network, is the one related to the ability of these platforms to locate the user through the IP address and get to know the connecting device in order to contextualize the content and advertising displayed on it. This fact can be considered as an intrusion to the routines of the user that can seriously impair the right to privacy. Finally, when the user requests to unsubscribe from the service, the right to privacy and image may also be affected. This happens because, in spite of the cancellation of the account, private information of the user could sometimes continue being accessible from profiles of other users and indexed and cached from different search engines available on the Internet. 3.1.4

Vulnerable Groups. Underage and legally incapacitated users.

This section gives specific attention to three groups that, by their nature, may be affected in a greater extent than other users; underage users, legally incapacitated users and workers, whose presence and participation in such platforms is common. Underage and legally incapacitated persons From a legal point of view, in matters related to the protection of honor, privacy and image, we have to take into account the specific regulation that already exists. The Organic Law 1 / 1982 on the Civil Protection of the Right to honor, personal and family privacy and image, specifically regulates the manner in which the consent should be given by underage and legally incapacitated persons, in order to make an adequate protection of their rights to honor, privacy and image. In this regard, it provides that: "The

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 70 of 143

Instituto Nacional de Tecnologías de la Comunicación

consent of underage and legally incapacitated persons should be provided by them if their conditions is considered as mature by the civil law." Moreover, the law establishes two principles that contrast with the reality of the Internet. The Article 1 stipulates that: "the civil protection to honor, privacy and image is defined by laws and social practices according to the acts made by a person”. Moreover, referring to the underage persons the Section. 3, establishes a criteria, of the possibility that a mature underage person can consent in matters which affects his honor, privacy or image, and, in cases where children does not have the sufficient capacity to consent, the rule says that "the consent will need to be given by a written text of the legal representative, who will be required to inform to the Public Prosecutor about this consent. If in eight days the Public Prosecutor has objected the given consent, the judge will decide." An additional criteria is what the Article 4 of the Organic Law 1/1996 of January 15, of Protection of Underage persons, that partially amends the Civil Code and the Code of Civil Procedures, which, in addition of recognizing the child's rights in Article 18 SC provides the intervention of the State Prosecutors in cases of spreading of information or use of images or names of the underage persons, in media that may involve an unlawful intrusion to their privacy, honor or reputation, or that may be contrary to their interests. Also, the provision orders to parents and/or guardians and to the authorities to respect these rights and protect them against possible attacks by third parties. It is clearly evident, that the reality of social networks is beyond the actual regulations, so it required a systematic and proper interpretation of every law and regulation. Children under 14 years old are capable to understand the use of technology, capturing and reproducing information which affects their honor, privacy, image, their interests or others´. Photographs of children proliferate on the Internet on their own profile spaces, and even on pages linked to their families and/or to school activities. It can be noted that the specific risks for children in this area are directly related to: •

Access to inappropriate content.



The possibility to have an online contact, and even in person, with malicious users.



The proliferation of children images and personal information published by themselves or by third parties with ignorance of the risks associated with.

Social networks and websites, have main difficulties in achieving effective protection of users because their actual systems are unable to control publications made by their underage users, and by do not having tools that fully ensure the identity of their users.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 71 of 143

Instituto Nacional de Tecnologías de la Comunicación

Therefore, as the measures to control the content and access to inappropriate material, are not properly developed and implemented, the risk of violating the rights of the minors will persist. To this factor it should be added that, (as we have emphasized) the Organic Law 1/1982, at the time that it was created, the usage of information and the image of the children, as the intervention of the Prosecutor, nowadays is certainly feasible thanks to technology. The ENISA paper 'Children in a virtual world: What parents should know about” 65 , published in September 2008 provides a series of recommendations to parents, highlighting, among other recommendations, the need to train and educate both (parents and children) alike. Other cases: workers From a legal point of view, the privacy of workers have an additional protection that the Royal Decree 1/1995 of March 24, complements by approving the text of the Workers' Statute (WS), that repeatedly states the right to workers to be respected by the employer. That rule provides that “records to workers could only be made in their lockers and just if these measures are necessary for the protection of the business and other employees’ assets. During the implementation of these measures, the dignity and privacy of the employee will have to be respected and will be made assisted by the legal representative of the workers or, in his absence it will be made by, another worker of the company, when it could be possible." However, this is certainly not a criteria applied for Internet and that is something that the Supreme Court indicated when it established that the employer can control and even limit the access of the mentioned recordings, in virtue of the power given by the Article 20.3 of the Workers' Status if certain conditions are reunited 66 .

65

http://www.enisa.europa.eu/doc/pdf/deliverables/children_on_virtual_worlds.pdf

66

UNIFICATION THEORY Appeal 966/2006, Case 26/09/2007 Supreme Court said: "The control of the computer use provided by the employer to the employee is not regulated by Article 18 of the Workers, but by Article 20.3 of the Workers' and this provision must be with the qualifications set out below have been made. The first concerns the limits of that control in this area and the provision cited refers to an exercise of the powers of surveillance and control to save on their adoption and implementation, due consideration "to the dignity of the worker, which also refers respect for privacy in terms to which reference has already been made in reviewing the judgments of the Constitutional Court 98 and 186/2000. (...) You have to do business in accordance with the requirements of good faith is to establish in advance the rules for using these media, with application of absolute or partial bans, and inform the workers that there is control and the Means to be applied in order to verify the correctness of the applications, as well as measures to be taken where appropriate to ensure the effective use of work environment where necessary, notwithstanding the possible application of other measures preventive, as the exclusion of certain routes.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 72 of 143

Instituto Nacional de Tecnologías de la Comunicación

Moreover, considering the potential that Internet has, it is proven that in work selection procedures are performed, not only the use of the information provided by the candidate in the job interview, but also of the information that appears on social networks and other online services. It should not be underestimated that it is used the sort of results that search engines provide. Undoubtedly, this situation may pose a risk to the privacy of workers, so it again becomes necessary for workers to restrict their profiles, and the access to their personal and private information. 3.1.5

Measures to protect the right to honor, privacy and image

Social networks and platforms are very kind to protect this right. They implement the following measures: •

Studies. In case users detect an action that affects their rights in the platforms. o

Reports inside the social network: The main social networks and websites have this kind of measures that allows any user to notify the webmaster of the publication of a photograph that is inappropriate or that is used without permission, as well as to request the removal of any comment, video or image that goes against the right to privacy, honor and/or image. This report generates a cancellation of the content and notify to the reported user of its fault. Usually, in case that the reported user continues doing the same forbidden action, the Webmaster would cancel his/her account.

o

Express authorization by the user: It is related with the above-mentioned measure. It is required that the user must authorize the tags, comments or images, having the possibility to report the content to the Webmaster. However, this system is established by an “opt out”, (the user could ban and delete the content that was reported). The users who are not registered users and that are tagged could be more affected, because in some social networks it is possible to tag a user by just inserting the e-mail address.

It should be know, however, that the law should be applied in a systematic and integrated way. In this sense, social networks and Web 2.0 services, such as blogs, offer the user a space to exercise their fundamental rights as the right to information and freedom of speech.

The second nuance or precision the scope of protection of privacy, which is consistent with the lawful control to which reference has been made. It is clear that the telephone and email are included in this area with the additional protection that derives from the constitutional guarantee of secrecy of communications.”

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 73 of 143

Instituto Nacional de Tecnologías de la Comunicación

Any citizen may exercise the right to information. To be a legitimate need, this right needs to be of public interest and to be based on true facts. The removal of content may affect the rights of the author. The authors could be injured if the content is removed automatically and as a preventive measure. Therefore, it is necessary to define these procedures as contradictory proceedings in cases where the violations of the rights are not obvious or when they may interfere with a legitimate exercise of other rights. •

Human and technological methods of protection: o

Reporting procedures: Several social networks have tested systems to inform users about content that may affect them. Such warnings are displayed when users upload multimedia content, such as photos and/or videos.

o

Voluntary monitoring of the contents: Several social networks have volunteers to monitor the appropriateness of the contents. These groups monitor the contents posted by users, even those that are not directly in the platform but linked to it.

o

Software Applications for age identification: Some social networks have implemented, in order to protect minors, programs that detect the approximate age of the user. This technique is based on testing the expressions used by users in their messages (language, expressions, style of writing, etc…). The aim of this measure focuses on: ƒ

Detecting the presence and participation of children in social networks that are intended for adults.

ƒ

Users to identify adults who are trying to contact users younger than their age.

However, as it was noted above, these measures do not reach the desired degree of effectiveness. •

Training and awareness of users o

Information about the duties of the users: Social networks often come with lengthy contracts of adhesion, where the obligations of the users are diluted in a mix of contractual clauses. Specific information strategies should be adopted to compel a reading of the obligations of users.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 74 of 143

Instituto Nacional de Tecnologías de la Comunicación

o

3.2

Development and publication of codes of ethics: The existence of rules of ethical behavior is not new in the Internet world. The ISP should define a reasonable standard of conduct in their environments, beyond the application of the rules. Encouraging self-regulation codes for social network may contribute significantly to the training and awareness of the users.

Personal Data Protection

The functioning of social networks and collaborative websites is mainly based, as it was already mentioned, in the publication by users of their personal information and data, which implies different legal effects. 3.2.1

Definition of the right

The Spanish legislation, as the Portuguese Constitution, laid out in its Article 18.4 SC the foundations of a new fundamental right. This right was defined as "Habeas Data", although it is a much less accurate and appropriate description than when one refers to refer to the right to data protection. This right has been configured by the jurisprudence through series of sentences that start with STC 254/1993 and ends with STC 292/2000. They state that: "The protection of the privacy of the person and his/her reputation has a positive dimension that goes beyond the scope of the basic right to privacy (art. 18.1 SC), and that is developed by the right of control over their personal data”. The so-called "free IT" is entitled to control the use of the same data embedded in a computer program (habeas data) and includes citizens' opposition to certain use of their personal data for any legitimate purposes other than those that justified its acquisition (SSTC 11/1998, FJ 5, 94/1998, FJ 4). This fundamental right to data protection, versus the right to privacy of the Article 18.1 SC, shares the goal of providing an effective constitutional protection of personal and family privacy, gives to the person a bundle of powers to impose against others acts or behaviors that should be regulated by law, one that according to art. 18.4 SC limits the use of computers, protecting the persons´ right to data protection (art. 81.1 CE), and/or regulating its exercise (art. 53.1 SC). The peculiarity of this fundamental right to data protection, in respect to privacy’s right is therefore, to differ on its functions, content and object of protection. According to the Constitutional Court on the subject of the right to privacy is: "Any kind of personal information, whether or not an intimate knowledge of which is known by third parties may affect their rights the art. 18.1 SC grants its protection. Therefore, it reaches a public that personal data, which can be accessible to anyone guaranteed too Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 75 of 143

Instituto Nacional de Tecnologías de la Comunicación

the right to privacy over it. Also for this all data is under protection because with them anyone can identify or allow the identification of a person may serve to identify its ideological, racial, sexual, economic or other aspects, or used for any other purpose that in certain circumstances constitute a threat to the person." For regulatory purposes, it is understood that a personal data is "any information related to identify someone". Among the personal data in the context of social networks could identify the people, an could be the IP address, as defined by the Spanish Agency for Data Protection 67 and its Working Group in Article 29 in its "Opinion on the concept of personal data." 68 The large amount of personal data that users gives on their profiles, becomes true "digital identities" that facilitate a quick understanding of contact details, preferences and habits of the user. It should be considered in addition that data such as IP addresses, is used to segment the advertising that is targeted to different types of users as well as increasing the degree of contact between users. In this way, and considering the basic principles laid down in existing legislation, the protection of personal data should be particularly attended by any project related to the world of social networking and collaborative Websites where the operation and treatment of Personal information is the key element to its operation. 3.2.2

Applicable law: regulation and its evolution

The legal framework on data protection addresses the need to safeguard and protect civil liberties and fundamental rights to persons, and especially its honor, privacy and personal and family privacy, avoiding that the data are used improperly or fraudulently, or are treated or transferred to third parties without the owner’s consent. International regulations 67

Spanish Data Protection Agency, Report 327/2003.

https://www.agpd.es/portalweb/canaldocumentacion/informes_juridicos/otras_cuestiones/common/pdfs/20030327_Car-aa-cter-de-dato-personal-de-la-direcci-oo-n-IP.pdf 68

Opinion on the concept of personal data. The Work group considers directions IP like data on an

identifiable person. In that sense it has declared that “the suppliers of access to Internet and the local network administrators can identify by reasonable means the users of Internet to which they have assigned directions IP, because they systematically register in a file the date, the hour, the duration and dynamic direction IP assigned to the user of Internet. The same can be said of the suppliers of services of Internet that maintain a file registry in servant HTTP. In these cases, doubt that does not fit it is possible to be spoken of personal character data in the sense of the letter a) of article 2 of the Directive. (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_es.pdf)

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 76 of 143

Instituto Nacional de Tecnologías de la Comunicación

Currently there are laws to protect the personal data in at least 46 states. This, coupled with the fact that most standards are published and provide a new and specific issues arising from the Information Society, make the protection of personal data one of the biggest and best treated matter from the point of legislative. All this implies the creation of various guidelines made by the OECD 69 and the UNO 70 or the Privacy Frame of the APEC, 71 make that the basic principles and governing rules similar and approximate in each State. European regulations Just as happened with the development of the right to privacy, the Council of Europe 108th Convention 72 defines the context of privacy protection in relation to information technology and communications. Moreover, the judgments issued by the European Court of Human Rights produce legal domestic effects and inspire the work of the Constitutional Court in the interpretation of fundamental rights. The 108th Convention arose from the need to further protect the rights to individuals in connection with the use of computers, particularly in regard to privacy, protected by Article 8.1 of the European Convention on Human Rights. Furthermore, it should make this compatible with the legal protection of freedom to transmit information, and, finally, it was considered necessary to establish a common name between the State laws and over the would-be signatories to facilitate the international flow of data. The Convention was preceded by two resolutions of the Ministry’s Committee, the R (73) 22 73 and the R (74) 29, 74 concerning about data protection in the private and public sectors respectively, to bring forward some basic principles that later inspire the drafting of the Convention of 1981. Pursuant to this Convention, it should be noted that it has three different parts for his Explanatory provisions of substantive law in the structure of basic principles, the special rules related to international flow of data and mechanisms for 69

OECD guidelines on privacy protection and transborder flows of personal data of September 23, 1980. http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html

70

Guidelines for the regulation of computerized personal data files adopted by resolution 45/95 of the General Assembly on December 14, 1990.

71

Asia-Pacific Economic Cooperation Privacy Framework http://www.apec.org/apec/news___media/fact_sheets/apec_privacy_framework.MedialibDownload.v1.html?url =/etc/medialib/apec_media_library/downloads/taskforce/ecsg/pubs/2005.Par.0001.File.v1.1 72

Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, ratified on 27 January 1984 (BOE of 15 November 1985). 73

Resolution (73) 22 concerning the privacy of individuals with regard to electronic data banks in the private sector, as agreed by the Committee of Ministers on September 26, 1973.

74

Resolution (74) 29 concerning the privacy of individuals with regard to electronic data banks in the public sector, adopted by the Committee of Ministers on September 20, 1974.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 77 of 143

Instituto Nacional de Tecnologías de la Comunicación

mutual assistance and consultation of the Parties. The Convention has been supplemented by a set of recommendations to guide national policy decisions in specific sectors: The Convention also defines the basic concept of personal data, file system, automated processing or authority "file controller”, which today is defined as responsible. The Convention also establishes basic principles for data protection, such as the quality or security, the rights to access, rectification and cancellation, the protection of data revealing racial origin, political opinions, religious beliefs or other beliefs, as well as personal data concerning health or sex life, or of safeguarding procedures. Moreover the European Court of Human Rights has extended the application of Article 8 ECHR with a very broad conception of personal and family privacy that is the recognition of the right to data protection under the 108th Convention. Within the European Union Article 8 of the European Charter of Fundamental Rights specifically recognizes the right to data protection as an independent right to privacy, which includes both the right to consent, the duty to process data fairly and fulfill the rights to those persons affected and entrusted their care to independent authorities. This principle is also enshrined in Article 286 of the Treaty establishing the European Community. The European Union issued in 1995 by the Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of persons with regard to process their personal data and on transmission of such data, 75 so that the Member States harmonize and adapt their domestic legislation on protection of personal data. This text provides a regulatory framework aimed at establishing a balance between a high level of protection of privacy of individuals and the free flow of personal data within the European Union (EU). Key aspects of EU rules on data protection are: •

Establishing the principle of data quality, so that personal data must be adequate, relevant and not excessive, according to the purpose for which will be processed.



That is as basic and essential for the processing of personal data, the existence of prior consent of the data.

75

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:ES:HTML

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 78 of 143

Instituto Nacional de Tecnologías de la Comunicación



It requires States to establish an obligation to reconcile the right to privacy in the processing of personal data with the right to freedom of expression.



Establishing basic principles of citizens' rights to access, rectification, cancellation and opposition (ARCO) in relation to their personal data.



Is incorporated as a basic principle of ensuring confidentiality and the obligation to implement appropriate security measures to ensure that access to information is limited and controlled.



Set forth the basic principles for the establishment of National Authorities of Data Protection.



Laying down the foundations of international transfers of personal data.



It promotes the development of sector codes of conduct intended to contribute to the proper application of national provisions on the protection of personal data.



Establishing a Working Group on Article 29 reference institution in this area 76 .

It should be stressed further the important work done by the Court of Justice of the judgments which have clarified various aspects in this area 77 .

76

Established under Article 29 of Directive 95/46/EC and comprising representatives of the Data Protection Authorities of Member States. It is the independent advisory body of the EU on data protection and privacy. Its tasks are laid down in Article 30 of Directive 95/46/EC and Article 14 of Directive 97/66/EC. Researches, analyzes and combines the community-level initiatives in the protection of personal data. Its activity has been linked in recent times to the analysis of the services of the Information Society and the problems of data protection and security. The set of directives issued in this area is particularly extensive: • Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the Protection of Individuals with regard to the processing of personal data and the free movement of such data. • Directive 97/66/EC of the European Parliament and the Council of 15 December 1997 concerning the processing of personal data and privacy in the telecommunications sector. • Directive 2000/31/EC of June 8, on certain legal aspects of the information society, in particular electronic commerce in the Internal Market. • Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and privacy in the communications sector. • Directive 2006/24/EC of 21 February 2006, European Parliament and Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications or public communications networks by Council amending Directive 2002/58/EC. • Regulation (EC) No 45/2001 of the European Parliament and the Council of 18 December 2000 on the Protection of Individuals with regard to the processing of personal data by the institutions and bodies and on the free movement of such data. More information: http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 79 of 143

Instituto Nacional de Tecnologías de la Comunicación

It is important to note that the recent meeting held by the Strasbourg authorities responsible for the protection of personal data in Europe, addresses the importance of data security in such services, blogs, social networks, and other advanced Internet services and the need for policy solutions and technology, at an international level, to ensure adequate protection of the rights to users. In this regard, the authorities gathered here have expressed publicly their decision to address the phenomenon of social networks and similar services, located to take in November 2009 a conference in Madrid (Spain), which addresses the possible drafting of a International Treaty on Protection of Personal Data, 78 which provide an extraterritorial regulation that is appropriate to the characteristics of such services. In this regard, the Director at the Spring Conference of European authorities on data protection (Rome, 2008) highlighted some relevant points from the viewpoint of this study. On one hand, it is clear that even if the citizens does not know precisely define the scope and nature of the fundamental right to data protection sense, recognize and identify as soon as it is threatened and put at risk and are concerned about the security of personal data on the Web Moreover, although the users are aware of the existence of privacy policies online, the number of accesses to the pages of privacy policies is low, almost marginal. Privacy Policies occupy hide spaces in sites and more of the times are unintelligible. Therefore, it is clear that people know the actual content and implications of these privacy policies. On Internet, no one can speak of an agreement based on credible or reliable information. The same applies to trails for navigation, cookies; and the indifference to these treatments disappears when it cause a clear risk. This state of affairs requires proposing, shared international standards to ensure effective protection of universal rights to users. Although this has a no normative value, it requires special mention the Communication on the promotion of data protection technologies by protecting the right to privacy (PET) from May 2, 2007 79 carried out by the Commission of the European Parliament,

77

A clear example is the case with the ruling in the case of Ms. Lindqvist, accused of having breached the Swedish legislation on the protection of personal data published on its website various personal data on several individuals as It worked voluntarily with a parish of the Protestant Church of Sweden. This lady has learned computer basics and design a web page of information kept in the parish who came to report on the health of a community member. Responding to the questions the Court identified the presence of a processing of personal data under the Directive.

78

For more information Agencia Española de Protección de Datos.

79

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2007:0228:FIN:ES:PDF

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 80 of 143

Instituto Nacional de Tecnologías de la Comunicación

introducing a clear example of the protection of the rights to data protection and privacy of users, using tools called "PET". The "Technology protection of the right to privacy" (PET) technology systems are designed to reduce and, where appropriate, removing the impact of new information technologies on the rights to data protection and privacy of users, without undermining respect for the capabilities of technological systems. Some examples of PET: •

Automatic Data Dissociation. The data should be stored in a format that allows the person concerned, only to maintain it for the time necessary for the purposes for which it was originally obtained. Thus, once users are not active will be therefore necessary to decouple their data.



The use of encryption, prevent unauthorized access to information transmitted over the Internet, thus avoiding the unauthorized and unlawful treatment of personal data published on the Internet.



Invalidating the use of cookies, and prevent the website to install automatically on the user's computers, without its knowledge, to gather all information and statistics if the accesses that the user takes place during its navigation.



The Platform for Privacy Preferences (P3P), which allows users to analyze and compare the privacy policies of websites you visit, giving a report on the adequacy of these regulations.



The identity management systems that allow the control of users of the revealed data in every transaction, such as those promoted by the project PRIME (Privacy and Identity Management for Europe).

As mentioned in the Commission of Communication, the role of e-Government for Europe's future, e-Government PET should be used to generate the necessary confidence and provide a satisfactory service. United States of America In the U.S. case, the first rule for the protection of privacy on the Internet, was the "Electronic Communications Privacy Act” (ECPA), which ran from 1986 and sets out the normative basis as regards the regulation of privacy in electronic communications of users as well as the specific limits regarding the possibilities of access by the public to electronic communications of users.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 81 of 143

Instituto Nacional de Tecnologías de la Comunicación

In 1994, was published "The Computer Fraud and Abuse Act”, modifying the above mentioned, and defining and regulating more closely the various aspects related to information security with respect of viruses, spyware and various forms of malware circulating by the network and potentially jeopardize the integrity of privacy of users of online services. In 1998, the federal government published the "Children's Online Privacy Protection Act” (COPPA), which regulates more clearly protectionist and privacy of users of online services for underage persons by ensuring that all Service have content that should be targeted specifically to children under 13 years, will be the responsible for the adequacy of these same ages. Similarly, it provides that, children that have to provide personal information in a website must be reported clearly and in comprehensively form about what are the purposes for which they have requested those data, as well as the provision of guardians of underage, simple and free to know the kind of data provided by the child and to remove or update their data. In 2001, following the attacks of September 11, the federal government published the "USA Patriot Act” (UPA), in force since October 24, 2001 the "Cyber Security Enhancement Act” (CSEA), by authorizing the intervention by the government, of any electronic communication (regardless of the format in which it is), telephone, searches on Internet, as in search engines, etc, without been necessary to have a prior judicial authorization, which has led to a marked decline of civil and political rights for the security of citizens. Furthermore, it is worth noting the publication of "Controlling Assault of Non-Request Pornography and Marketing", in force since May 17, 2002 and had recently been amended and supplemented to some extent by the "Keeping the Internet Devoid of Sexual Predators", submitted for signature by the president of the United States on October 3, 2008. This rule is intended to allow the Attorney General to go to the registration of sex offenders to find matches to cases of attempted abuse in their own social networks and in any similar online tool, which has caused an immediate reaction of the various social networks that operate in the United States, expressing its readiness and full cooperation with the Security Forces in the search and removal of profiles of people suspected dangerous for children 80 . Finally, it should be noted the "Can Spam Act" A main focus of the enactment of this Act has been the homogenization of the spam legislation in the U.S., where he began to proliferate with various State laws approaches to the problem, they all abolished with the 80

For more information; http://blog.facebook.com/blog.php?post=34342042130

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 82 of 143

Instituto Nacional de Tecnologías de la Comunicación

entry into force of the "CAN SPAM Act”. This law establishes a series of guarantees that basically are: •

Mandatory labeling, if the messages of advertisements or pornographic.



Prohibition of forgery of the message headers, which identifies the issues thereof, together with the completion of misleading subject field.



Prohibition of surreptitious use of other personal computer for sending commercial electronic communications.



Ban collect email addresses without the consent of the affected and the use of "technical dictionary" (training for recipient addresses through dictionaries of names).

National Regulations In Spain, the regulation on protection of personal data is focused mainly in two standards: •

Law 15/1999 of December 13, Protection of Personal Data (LOPD).



Royal Decree 1720/2007 of December 21, by approving the development regulation of the Organic Law on Data Protection (RDLOPD).

There are also sector-specific rules in areas such as health, telecommunications and finance. However, the following rules are designed in a very particular on social networks: •

Law 34/2002 of July 11, Services Information Society and Electronic Commerce (LSSI-CE).



Law 32/2003 of November 3, General de Telecommunications.



Law 25/2007 of October 18, Conservation Information related to electronic communications and public communications networks.



Law 56/2007, of December 28, Measures to Promote the Information Society.

In accordance with the provisions of Law 15/1999, of December 13, Protection of Personal Data (LOPD), the object of the rule is to "... ensure and protect, with regard to processing of data personal, civil liberties and fundamental rights to individuals and especially of their honor and personal and family privacy. " Any processing of personal data must meet a set of basic principles:

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 83 of 143

Instituto Nacional de Tecnologías de la Comunicación



Data quality: is essential that the data processed is adequate, relevant and not excessive in relation to the scope and purposes specified, explicit and legitimate purposes for which they were obtained, and may not be used for purposes incompatible with those for that the data were collected. Data must respond truthfully to the current situation of the person concerned must rectify if there are errors. They may only be collected for compliance purposes specified, explicit and legitimate purposes of the data, prohibiting the collection of data through fraudulent, illegal or unfair methods. Moreover, the manager must keep personal information as long as the purpose and cancel when it stops.



Information on collecting data, the concerned will be informed at the time in which to collect their data, the scope of treatment to be performed. Article 5 of LOPD provides that "interested parties requested should be explicitly, precise and unambiguous in an informed: a) The existence of a file or processing of personal data, the purpose of collecting them and the recipients of information. b) The obligatory or optional nature of his response to questions posed. c) The consequences of obtaining data or a refusal to supply them. d) The possibility of exercising rights to access, rectification, cancellation and opposition. e) The identity and address of the controller or, where appropriate, their representative”.



Or consent of the affected or expression of will, freely given specific and informed by the concerned consents to the processing of their personal data.



Specially protected data, this principle refers to personal data that reveal the ideology, trade union membership, religion, beliefs, -the case that consent must be expressed and written for those referred to race, health, and sexual life- treatment for which consent is required, and those related to the commission of criminal or administrative.



Data security, all companies, organizations, associations and institutions, public and private, that store, process and access to files of personal data, should implement security measures and organizational techniques to ensure the confidentiality, integrity and availability of information.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 84 of 143

Instituto Nacional de Tecnologías de la Comunicación



Duty of confidentiality includes the obligations of secrecy, confidentiality and care incumbent upon those who process data and, in particular, for those who their functions is to access files containing personal data.



Data communication is "any disclosure of data made to a person other than the affected or interested." Personal data subject of the treatment may only be communicated to a third party for compliance purposes directly related to the legitimate functions of the assignor and the assignee's prior consent.



Data access for third parties, involves the provision of a service responsible for the file by a third company called the processor, which accesses the data file to fulfill the delivery contract, on behalf of account and according to the instructions given by the File Responsible.

Before making a complete analysis regarding the application of standards should take into account the extraterritorial aspect of the services of the Information Society. Since the vast majority of providers of such services operate from outside the EU (mainly them operate in the U.S.) it has been analyzed whether it is possible to require social networks their enforcement to community rules. In this sense, the legislation provides that it shall apply: •

When data processing takes place in Spain through an establishment of the treatment.



In the event that the responsible of data treatment is not in the Spanish territory, but it is directly applicable the Spanish law through international agreements.



When the controller is not established within the territory of the European Union and used in data processing, media or elements located in Spanish territory, unless such facilities are used solely for transit purposes.

It must be considered that in Spain, the law in relation to service providers, on legal and practical grounds, admits the possibility to apply the national data protection regulations, regardless of the location of where providers operate. On the one hand, the Orgánic Act 15/1999 on Protection of Personal Data states that there are two cases where responsibility applies to entities outside the EU/EEA: First, when treatment is carried out in the framework of the activities of an establishment of the provider in Spanish territory and, secondly, when the media is used in that territory.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 85 of 143

Instituto Nacional de Tecnologías de la Comunicación

In this regard, the Working Group on Article 29 has called its "Opinion on data protection issues in relation to search engines” 81 . This opinion contains a number of criteria to define when one considers that there is an agency of: "The existence of an "agency" means the effective and real exercise of activity through stable arrangements. The legal form of agency (a local office, a subsidiary with legal representation or a third party) is not decisive. However, another requirement is that the processing operation is conducted "under the" agency. This means that the agency should also play an important role in specific processing operation. This is clearly the case when: •

an agency is responsible for relations with users of the browser in a particular jurisdiction;



a search provider to establish an office in a Member State (EEA) involved in the sale of ads targeted to people in that state;



the agency of a provider of search engine meets the judicial and/or requests for enforcement by the competent authorities of a Member State in relation to user data”

Furthermore, as regards the provision of services by suppliers outside the EU using in that territory, the document contains a number of criteria. As the document states, "data centers located in the territory of a Member State can be used for storage and processing of personal data remotely. Other kind of media could be the use of personal computers, terminals and servers. The use of cookies and similar devices software from an online service provider can also be seen as a resource to media on the territory of the Member State. Also in 2002, the Working Group adopted a document about “the international implementation of EU legislation on data protection to personal data on Internet sites based outside the EU "(WP 56)” 82 . Given the complexity of this area and the dynamic Internet environment, this paper provides a tool and reference point for data on the examination of cases involving the processing of personal data on Internet sites based outside of the European Union. In the same way, the LSSI-CE provides its application to "service providers established in a State outside the European Union or European Economic Area." Thus, Article 4 stipulates that these providers will be implementing the articles on the free provision of

81

https://www.agpd.es/portalweb/canaldocumentacion/internacional/common/pdf/WP_148_Dictamen_Buscad ores_es.pdf 82

WP 56, http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2002/wp56_en.pdf

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 86 of 143

Instituto Nacional de Tecnologías de la Comunicación

services and collaboration of providers of intermediation services to disrupt the service or remove certain content if it was declared a competent authority on Spanish the legality of them. And also, if their application provides its services specifically targeted to Spanish territory, provided that this is not contrary to international conventions. For purposes of determining whether the service providers run their services specifically to Spanish territory, has addressed several elements: •

If they have the domain name extension. Nic.es or is registered to operate through domain names "es.redsocial.com" or "redsocial.com / es"



If the site is located in Spanish.



If they have a specific Privacy Policy.



If the website by its appearance and content, could lead to suggest that is focused on the Spanish territory.



If the advertising is for products and services distributed in Spain.



If the number of Spanish users is higher on the web statistics.



If offices or commercial agents process personal data in the national territory.



If the service uses servers in Spain.

In this context, the Spanish Agency for Data Protection has affirmed its competence to apply these rules to service providers established outside the EEA regarding the provision of free email services 83 . 3.2.3 Possible risks on social networks. ¿How does personal data could be affected? The risks identified below, do not necessarily show that the service provider commits abuses unless that the facts show that usually the default configuration of their services usually offers a low standard of privacy. The consent provided is valid at the time when the user decides to accept the Privacy Policy and terms of use, contained in the registration form of the platform. The user must have to pay attention to the content and its consequences, this in order to make every 83

Case E/01544/2007.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 87 of 143

Instituto Nacional de Tecnologías de la Comunicación

policy transparent, accessible and clear for the understanding of the users. The AEPD has insisted about this matter on its "Declaration of search engine’s”, as well as in the "Resolution about free email". Similarly, users should always evaluate what kind of data is provided in the platform and published on their profiles, because it does not have the same significance for the treatment of the platform of basic personal data (as name, address, phone, etc) than other more sensitive information (income level, credit receipts, trade union or political affiliation, health, sex life, etc), where the level of protection and awareness by the user must be higher, because this information belongs to the most intimate sphere of their lives. Thus, although the information contained in user profiles is fed directly by them, it is necessary to consider what are the main risks that may result from the use of such platforms. As a general rule, it should be noted that social networks and collaborative platforms have legal notices, terms of use and privacy policies, although sometimes are written in a technical language difficult to understand for most of the users. In this way, despite of being listed on the website, those do not reach their ultimate goal: that is that the user completely understands the subject, purpose and terms for which they have collected and processed their personal data. The first critical moment for the protection of personal data is in the initial registration of the user, if this provides the information necessary to operate in the social network, the data provided may be subject to several risks: •

That the information requested on the registration form, could be excessive. It must be noted that often, social networks request new users data related to their political ideology, sexual orientation and religious preference. As these data are free to insert, users must consider the implications this can bring to their lives and those around them, as them could be visible for all his contacts. Therefore the users and those responsible of social networks should limit and control all the time that the extent and significance data is not extreme. It should be noted that Article 7 of the LOPD requires an express written consent in respect to data related to ideology, religion or belief, expressed in health, race and sex life.



That the level of publicity of the user profile is too high. At the time of the initial registration it is when it should be properly configured the level of publicity, to determine who will be able to access to all the information published. All networks are analyzed, and enabled by default in the lowest level of privacy, what give as a result

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 88 of 143

Instituto Nacional de Tecnologías de la Comunicación

that the access is completely public and generates a serious risk to the security for the users. •

That the purpose of the data is not correctly identified. Often privacy policies in such platforms, define the purposes for which the personal data are collected and processed, but is generally and completely unclear what may or may not process this data, which poses another serious risk.



International transfer of data. As it was mentioned, it is common that platforms are located outside the EU, mainly in the U.S., which means that at the time of the user registration, data is transferred to servers and offices located in this country. It is therefore essential that the privacy policies of the service provider ensure an adequate standard of protection. Alongside, is possible that platforms give their databases to third parties, to conduct campaigns sending unauthorized communications (spam) or carrying out another kind of treatment that enjoys a less protection in the country in which data are processed. This should be take care of, by the user, as a criterion for choosing a social network.

The second stage is considered critical for the protection of personal data is the intermediate stage, is where the user is active in the platform and uses its tools and services. At this time, the issues that may jeopardize the security and protection of personal data of users are: •

The publication of excessive personal information (own or of a third party). At this stage remains the potential risk associated with excessive publication of personal information by users. It also must take care about the possibility that users will also publish information regarding third parties, which may involve the processing and transfer of public data that people have not given consent to do so. The AEPD sanctioned the collection and publication of images of others in collaborative platforms without the consent of the affected persons 84 . In the same way, the AEPD has recognized claims against responsible of websites by canceling data that had been supplied by third parties in online environments 85 .

84 85

Spanish Data Protection Agency Decission Resolución de la Agencia Española de Protección de Datos PS/00117/2008.

TD/00266/2007.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 89 of 143

Instituto Nacional de Tecnologías de la Comunicación



The installation and use of cookies without the user's knowledge. Often in social networks and similar platforms use this files to have the possibility to store certain information about users and the way of navigation through the website. These files are installed on users' computers, making possible to detect the location from which the user has accessed, the kind of device used (fix or mobile), the content accessed, the most visited pages, actions undertaken during a normal browsing, and the time spent on each page, among many other features. This way of collecting data works automatically, not as the forms filled in websites. The IP address 86 from which the user connects to the Internet is considered by the Spanish Agency for Data Protection as a personal data, insofar as it can be linked to an identifiable person, that is to be understood therefore that through the possibility to obtain information regarding the uses and browsing habits of users in a website, which provides a very valuable tool in terms of marketing and advertising.



Web “Beacons”

87

. Are electronic images that allow the site to know who and what

has been viewed the online content. Normally these images are included in emails, ads, etc. Depending on the kind of access, this information might include the following: o

IP address and origin of the connection.

o

Mailing application that is used.

o

OS.

o

Moment in which the connection is realized and/or the web site is viewed.

o

Information about valid email addresses.

These and other information obtained can be used for different purposes, even as attacks against the user (taking advantage of the known vulnerabilities in the software), confirmation of email addresses (for sending bulk junk e-mail, marketing of databases), etc.

86

The IP address consists of a series of four numbers between 0 and 255 separated by dots that identifies a computer connected to the Internet. Obviously, this system is not used for navigation by the difficulties in this series of memory recall. In its place, the DNS (Domain Name System or Domain Name System) translates these numbers to web addresses, as normally used in browsers, which are easy to recognize and remember. 87

A Web bug or web beacon is a tiny image on a web page or in an email that is designed to control who reads the message. Its size is negligible and may be a pixel, transparent GIF format. Are represented as HTML tags. A web bug can have some information about the user (visitor to website or reader email).

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 90 of 143

Instituto Nacional de Tecnologías de la Comunicación



Internet search engines automatically index the user profile. Most of the platforms analyzed for this study, and by the interviews made, allow to the main Internet search engines to index the user profiles with no restrictions in the Web In some cases the index includes the name of the registered user (nickname), a profile picture and the real name, as pictures of friends or contacts related, with an invitation to join the network attached. This fact poses a threat to the protection of personal data, because basic information and key contacts are exposed in a public network, that is accessible by any user and the data and information there exposed could become used in an uncontrollable way by a third party, that are not in the "closed circle" of the social network’s users. In addition it should be considered that the Spanish Agency of Data Protection has protected the right to oppose the indexing of names or other personal data on search engines that as automatic data process, it must conform all the obligations under the existing legislation 88 .



Receiving hyper contextualized advertising. Online advertising is a commercial model currently used by social networks. They can determine a degree of accuracy in respect of almost all kind of products and services that the user is going to look for, the information provided in this method via automatic and through an application of indexing algorithms based on the "boolean" logic 89 .



The receipt of unsolicited electronic communications (spam). Spammers as sources of information are using social networks and personal data that is subsequently target for unwanted communications. There are several types of spam in social networks: First, when the user starts to operate on the platform and subscribes to several applications or groups, those groups give the option to send multiple invitations to all his contacts. By this way, the user is sending to their contacts many communications; although in a first time it does not seem to have an eminently commercial effect, but making an analysis of it, this action reports main financial amounts for the platforms and developers of such applications, whose value increases to the extent of the number of users which the communication has effectively sent by the user.

88

TD/00463/2007

89

This is an algebraic system defined on a set B, which contains two or more elements, and between which are defined two operations called sum operation or OR (+) and multiplication or product or transaction AND " (+).

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 91 of 143

Instituto Nacional de Tecnologías de la Comunicación

The second assumption is that the users allow the applications to access to their address books and send emails to all their contacts and an email inviting to register in the social network. The Spanish Agency of Data Protection has indicated the cases to distinguish when a communication has a commercial format and content; if the IP address from which the communication is sent, draws directly from the platform, and if those who receive it, does not have expressed their consent to do so, it would be a case of unwanted electronic communications or spam 90 . Moreover, when a user acknowledges for invitations of unregistered users in the platform to become a new member, this action could be interpreted as a form of electronic communication that is not desired, but should address the specific circumstances for each case. •

The impersonation of the identity of users in social networks. The term of identity impersonation as a recorded crime in our criminal laws, adopts a new significance in the online world, usually there are many cases of users who have several "digital identities". Of course this is not always a negative situation, until the possibility that another person could register the identity of another person. In this regard, some measures are discussed in the chapter of Recommendations of this Study.

The third critical stage in where the personal data of users are protected is at the moment when the user intends to unsubscribe of the service. At this time, many factors that may jeopardize the security and protection of personal data from users, as: •

The impossibility to perform a successful unsubscribe of the service. Having analyzed the processes of register and unsubscribe of social networks, it has been detected in some cases, in despite of the decline of the service request and in accordance with the Privacy Policy in some platforms, the unsubscribe of the service was not made out effectively, keeping the personal data of users available to the social network.

90

In this case we must consider the recent decision of the Spanish Agency for Data Protection. The key to resolution is in the following paragraph "The mailings that the complainant says that he has received for a continuous campaign to capture customers that promotes the defendant. The campaign is to offer registered users the ability to recommend friends and family services initiatives through the virtual site, which exists in such an easy site that allows one to refer to an email address informational message inviting the recipient to register with it. The recipient receives the message that includes a button that links directly to the customer registration page.”

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 92 of 143

Instituto Nacional de Tecnologías de la Comunicación

Often the user that attempts to unsubscribe of the service, find complex procedures that in any way related with the register procedure of the electronic platform. •

The data retention and compliance with the principle of data quality. Finally, the potential risk posed by the fact that social networks and other providers of information society, retain traffic data generated by users in their systems for a later use with the purpose to know their preferences and to perform contextual advertising with the content of their communications, affecting in this way the principle of data quality. In this regard, the Working Group of the Article 29 in its "Opinion about data protection issues in relation with search engines”, such as the AEPD on its "Statement of Internet Search Engines” 91 , published on December 1, 2007, talk about the issue of retention of personal data of users. The concern of the authorities on the data protection has caused that during the month of September 2008 one of the main Internet’s search engines have agreed to keep the personal data of users over a period of 9 months. However, social networks have not yet ruled on the matter, saying only that their privacy data will be treated while the duration of the relationship between them and the platform, thus obviating the information regarding the specific period of conservation. Although the particular case of social networks is not identical as the one of search engines, we can conclude that social networks, and services of the Information Society, should be subject to the application of data protection legislation and that should address the basic principles of the legislations, such as the principle of data quality, to the extent of keeping the data on their servers indefinitely, the principle of consent, to the extent that they can not treat personal data without having the consent of the holder with the data and the information principle, in so far as to report in a clear and understandable form to all users about what they will do with their data and the right to respect them at any time.

3.2.4

Vulnerable Groups. Underage and legally incapacitated persons.

With regard of the existing measures related to protection of personal data a special protection is particularly for vulnerable groups that are considered -underage and legally incapacitated persons-, it should be noted that from this point of view, it is particularly important the publication of Law 1720/2007 that approves the new Regulation of Development of the Organic Law on Data Protection (RDLOPD). Until it came into effect, in Spain there was no explicit reference for data protection for underage persons. 91

https://www.agpd.es/portalweb/canaldocumentacion/recomendaciones/common/pdfs/declaracion_aepd_busc adores.pdf

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 93 of 143

Instituto Nacional de Tecnologías de la Comunicación

The new regulation introduces a main specialty with regard to the provision for the consent of children by providing that the data obtained that correspond to anyone under 14 years, requires the consent of parents or guardians. The regulation also states explicitly that when collecting the child's consent it should be a simple and easily to understood and that it cannot be obtained from children information about their relatives. The person responsible that collects and processes personal data of under age persons is liable for articulating the methods to ensure that the age of the person has been effective proved, or that the age and authenticity of the consent given by their parents, guardians or legal representatives were appropriate. These policy measures imply that social networks and collaborative platforms require technological means to guarantee identification of the age of users. However, in despite of the obligation before mentioned imposed, if service providers, manufacturers and distributors of security solutions and non-governmental entities do not implement effective systems for the identification of underage persons, and therefore their process of data, is an imminent risk because that they might be being treated data that has not been given by an valid consent. One case of this matter has been fined by the Spanish Agency of Data Protection because of the lack of diligence when an entity do not made the appropriate identification of the data gave by an underage person. It takes place in a website, and the treatment of the data were used to send advertising 92 . With regard to possible situations that may involve risk of negative aspects to the security and privacy of underage and legally incapacitated persons, such as the publication of personal and family information, the need to advance in the technological research and development for new measures to effectively identification of the age of the persons, reach an effective solution that does not hind the development of the Information Society in young people. However, this matter not just implies technological solutions, as the Director of the Spanish Agency of Data Protection 93 on its intervention before the XXX International Conference of Data Protection Authorities said, the risks of minors on the Internet are based largely on an educational deficit by the unknown control over information. 92

93

PS/00281/2007 30th International Conference of Data Protection and Privacy Commissioners in Strasbourg.

http://www.privacyconference2008.org/ Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 94 of 143

Instituto Nacional de Tecnologías de la Comunicación

The current training for minors in the use of new technologies is insufficient. At the basic school, children are not advised about the way of how to control the personal information or to identify risks in the Information Society. The training over data protection has not been inserted in the scholar programs and it now necessary a real and effective compromise of national and local entities and educational. 3.2.5

Measures taken to protect the personal data of users.

As the responsible of social networks that for this study had been interviewed, for the proper protection of personal data of users, it is imperative to values the data find that users publish in their profile. They consider of extreme importance that public and private organizations make, from the moment when the record of a new user is created advice and aware them about the dangers of excessive publication of content. In a technical level, the before mentioned includes the following matters: •

Eliminate obsolete data that may exist on different servers and to encrypt those who are still in use, thus as minimizing the damage that may result from an attack from the outside from malicious users



Establish mechanisms for the analysis of the strength of the password so as to force the user to select a key one that is not easily decipherable by third parties 94 .



Decoupling the data contained of the user profile, so in case of unauthorized accesses made by third parties it would not imply that those parties have the access to user data and their use, and that it could be for malicious purposes.



Create categories for an effective profiles control (what kind of data could be allowed to be visible to other users o

Limiting the degree or advertising on a user's profile. The possibility to regulate and limit scope of advertising in a profile, allows to the user to adjust their degree of exposure of personal information and data incorporated into the platform with respect to other users. This measure gives the user real control over the information included in the platform.

o

Restrict or indexing profiles by the main Internet search engines. This measure protects users of a particular platform of indiscriminate searches that sometimes are conducted via search engines and that at any

94

Document “Recomendaciones para la creación y uso de contraseñas seguras” by “Observatorio de la Seguridad de la Información de INTECO” has relevant information the use of passwords.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 95 of 143

Instituto Nacional de Tecnologías de la Comunicación

given time can provide the personal information provided in the social network. o

Limiting the geographical consult of a profile.

o

Limiting the amount of data that users can introduce: for example some platforms decide to operate with a profiles nickname or alias deciding to who users they will shoe to (example: vi.vu).

Studies and other actions: •

Measures by which users can report situations in which their personal data and privacy has been involved. Every network must have a department for this matters to in an automated manner, in a first phase, this content could be locked and then in a second phase become individually analyzed. This allows to users to instantly claim for any possible breach of privacy or misuse of personal data.



When social networks collect data and information about their users, platforms should be guided by the principle of moderation, so that only request the data what them really consider relevant for the purpose of the platform.



It is also necessary to point out that some Internet service platforms are beginning to initiate training and awareness programs in schools and outside schools, with the aim of ensuring that both teachers and students fully aware of all the benefits and risks that may involve the use of such service. 3.3

Intellectual Property protection in social networks

The ease of reproduction and distribution over the Internet, makes the web a main mean for the growth as a main challenge as regards the control and protection of copyright. The contents are in digital format and, therefore, their distribution and public communication is much more easily than in other format. The content generation model has varied greatly in respect to the ones existing before by the emergence of Web 2.0, because now, the contents are not generated by only the authors now anyone has the possibility to generate and disseminate his works of intellectual property, and becoming a potential author, producer and distributor.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 96 of 143

Instituto Nacional de Tecnologías de la Comunicación

Social networks, particularly the collaborative multimedia platforms as Youtube, Dalealplay.com, MySpace, Google video, Redkaraoke, etc., are the best example of the possibilities offered by these platforms to authors 95 . 3.3.1

Definition of the right

Considering the protection of intellectual property law services in the Information Society should take into consideration the following premises: •

The author is considered as the natural or legal person who creates a work.



The intellectual property of a literary, artistic or scientific work, for the author is given by the mere fact of its creation.



Intellectual property rights are composed of personal rights and exploitation rights over the work.



Those considered works of intellectual property are the literary, artistic or scientific works.

The protection is addressed, therefore, by the right that the author has over his literary, artistic or scientific work. The protection includes of moral rights, such as property rights, giving the author's full willingness and the exclusive right to exclusive exploitation of their works. •

Moral rights: are those rights inherent to the person and therefore inalienable, and includes the "paternity" of the work, the integrity of the community, the decision on its spreading and recognition of their authorship.



Economic rights: rights that are economically quantifiable and can be arranged by holders (natural persons and legal entities). These rights are related to the activities of reproduction, distribution, public communication and transformation.

In this sense, the owner is the person entitled to authorize the reproduction, transmission or making available of a work of intellectual property ownership, 96 and being limited by the possibilities given by the right to quote, and private temporary reproductions or copies, among other.

95

From "Web 2.0, The Business of Social Networks" held by the Foundation for Innovation and Bankinter Fundación Accenture, published in 2007. 96

Art.2 Law 1/1996, of Intellectual Property.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 97 of 143

Instituto Nacional de Tecnologías de la Comunicación

3.3.2

Legal framework: regulations and its evolution.

The objectives of the legislation of intellectual property are aimed to protect the rights to artistic, scientific or literary works of authors and others persons implied with the works 97 . International Regulation International regulation on intellectual property is in a clearly advantageous level over other aspects analyzed in this study. Thus, in the year of 1996, frameworks were purposed by the World Intellectual Property Organization -WIPO- the adoption of two treaties to regulate the field globally: •

WIPO Copyright Treaty, which entered into force on March 6, 2002. Its purpose is defined by the protection of literary and artistic works such as books, software, music, photographic works, plastic works and cinematographic works.



WIPO Performances and Phonograms, which entered into force on May 10, 2002. Designed to protect the rights to producers of phonograms and the rights to performers when their work is fixed in any medium.

These standards represent a main advance in the modernization of international law, to give greater protection to the rights to authors, and to establish some basic criteria and standards development and implementation of measures to protect intellectual property services of the Information Society, and became commonly known as the "Internet Treaties". Both treaties require the establishment of a framework of basic rights, allowing creators to exert control and/or receive payment for the ways in which them are used. But the most important factor is the adequate and effective protection that the treaties granted to holders of these rights when their works are disseminated using new technologies and communication systems such as the Internet. In this sense, the Treaty provides: •

The reproduction right is applicable to digital and storing material in digital form in an electronic environment.



That the rights holders can verify if individual consumers have access to their online creations and how, for example: from their homes via the Internet.

To maintain a balance of interests between rights holders and consumers specifies that States have the flexibility to establish exceptions or limitations to rights in the digital environment, for uses considered as of public interest and/or for educational research. 97

Art. 1 Law 1/1996, of Intellectual Property.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 98 of 143

Instituto Nacional de Tecnologías de la Comunicación

This legislation does not explicitly regulate the services of the Information Society under consideration in this report, social networking and collaborative Websites, since at the time of adoption of these advanced services did not exist in that stage. U.S. the basic rule of protection of intellectual property rights is the Digital Millennium Copyright Act (hereinafter DMCA) of 28 October 1998, which provides exemption from liability of Internet service providers or ISPs in respect to the information transmitted, stored or disseminated by users through their information systems. This disclaimer, which is recognized in most parts of the world, applies as long as the Internet service provider: •

Do not have knowledge or get economic benefit from the illegal activity.



Have a policy on intellectual property published on its website which is accessible by users and,



Have a responsibility to address complaints of infringement of rights.

European legislation In an European level, within the legal areas of intellectual property and new technologies, the Directive 2001/29/EC of the European Parliament and the Council of 22 May 2001 on the harmonization of certain aspects of the rights to copyright and rights related to copyright in the information 98 society, under which Member States have exclusive right to authorize or prohibit direct or indirect, temporary or permanent reproduction by any means and in any form, extends to social networks and all this kind of platforms. Similarly, it provides that Member States shall, on behalf of authors, the exclusive right to authorize or prohibit any communication of their works, by a wire or wireless way, including making available to the public of their works. National legislation Like most of the rules of the surrounding countries, the Intellectual Property Act grants to authors of works on these exclusive rights, meaning that any process, reproduction, transmission or availability of the work shall be done with the permission of rights holders. Both, the national legislation, such as community, part of a high degree of restriction of the rights to use, so that nobody can exploit intellectual property rights without permission from the author.

98

Complete Text Directive 2001/29/CE will be availble at: http://eur-lex.europa.eu

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 99 of 143

Instituto Nacional de Tecnologías de la Comunicación

From the point of view, Spain has a great list of rules aimed at protecting intellectual property rights to authors and, more specifically, for the protection of intellectual property services in the Information Society: •

Royal Decree 1 / 1996 of April 12, by approving the text of the Intellectual Property Law (LPI), regularizing, clarifying and harmonizing the existing legislation on the subject, as amended by Law 23 / 2006, July 7.



Law 34/2002 of July 11, Services Information Society and Electronic Commerce (LSSI-CE).



Law 56/2007, of December 28, Measures to Promote the Information Society (LISI).



Organic Law 15/2003 of November 25, amending the Organic Law 10/1995 of November 23, Criminal Code.

However, despite the fact that it is newly updated rules, to regulate the use being made of any intellectual property through the services of the Information Society, there are several difficulties in the implementation of achieve the full protection of the rights to authors, with situations in which works with intellectual property are reported publicly or reproduced without the prior permission of the author. To minimize these situations, the Law of Services of the Information Society and Electronic Commerce (LSSI-CE) states that "providers of intermediation services are not obliged to monitor content that host, or transmit classified into a directory links, but should cooperate with public authorities, when they were required to interrupt the performance of the information society or to remove content from the network may be liable if, knowing the illegality of a certain material, do not act expeditiously to remove or block access to it." As ISPs, social networks such as Internet service providers have the technical capacity to control the content they hosted. Therefore, in principle can hold a general duty of supervision and control of the content of others, as due diligence or enforcement by the service they provide. From the viewpoint of the criminal regulation for the protection of intellectual property, the Organic Law 15/2003 of November 25, amending the Organic Law 10/1995 of November 23 of the Penal Code, has three behaviors related to their protection, but only those references that are directly related to the services under study:

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 100 of 143

Instituto Nacional de Tecnologías de la Comunicación



The distribution or public communication of protected content, either through the distribution of physical copies, or making it available on the Internet without permission from the copyright holder.



The importation or manufacture of software or any to breach technical protection measures in the works, i.e. any system that allows the system to skip anti-piracy or of a particular way or website.

In relation to the protection of intellectual property and collaborative networks, the criminal relevance criminal involved publicly and online content using P2P technology (technology is widely used in recent times by service online streaming video) and the possibility of creating online communities for the provision of links to download works of intellectual property has been reviewed by the Attorney General in Circular 1/2006 on crimes against Intellectual Property after the reform of the Organic Law 15/2003 99 , which states that the exchange of files through P2P networks does not constitute, in principle, the requirements to be classified as a crime against property intellectual subject that may be eligible to be considered a tort. The key element in determining the existence of this situation is that in principle there is no profit directly related to the activity, the essential requirement mandated by current regulations to be considered a crime. However, that should be addressed to the specific circumstances of each case. 3.3.3 Probable risks. ¿How could Intellectual Property Rights be affected in a social network? From the point of view of the possible risks that can be produced against the protection of the intellectual property in Internet, in general, and in the services of social networks and collaborative platforms, in specific, the main two situations are: •

When a user who is not the legitimate holder of the intellectual property rights of such published information publishes the contents.



Of another side, the legal implications over the works that are ownership of the own users and that these decide to share by these networks and public platforms.

Starting off of these considerations, the possible risks for the intellectual property are analyzed taking care of - since it has become throughout this Study - three moments nails in the “life” of any user in a social network: initial phase of registry, phase of participation of the user in the social network and phase of unsubscribe of the service. 99

For more information it can unload Circulating of the General Office of the public prosecutor of the State from the Web site: www.fiscal.es/fiscal/public

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 101 of 143

Instituto Nacional de Tecnologías de la Comunicación

Thus, the first critical moment for the protection of the rights to intellectual property with respect to the contents and elaborated works the initial phase is the registry of the user, moment at which this one, accepts the conditions of use which in principle they will govern all its relation with the platform. The user must specifically read, understand and accepts the conditions of use of the platform. Although it could seem that this fact does not have special importance is essential, in the measurement in which the users accept conditions of use frequently relative to the protection in the matter of intellectual property, by that totally yield his rights to operation to the platforms so that they freely use them during the legal maximum term of 5 years. If to the before mentioned it is added that most of the analyzed platforms gather confused conditions of use, with frequently extensive writings, of difficult understanding and that habitually they are lodged in places of the Web site difficult for the user, the number of users can be concluded that who read at great length and understand these legal conditions is not high. Therefore, is frequent that the cession of all the rights to intellectual property of the contents created given in favour to the platform, is made in a little reflective way, which exists a possible risk for the users who publish their works and creations in these platforms. The second moment in that risks for the rights to intellectual property can be produced is in the phase of participation of the user in the platform in which can publish contents own or of other persons - and shared with the other users members of the social network. At this moment several situations could be considered: •

That the own user, who publishes, has created the original content. In these cases, the user yields (in most of the cases) his rights to exploitation over its work, without hardly territorial limit, during a term of 5 years - maximum legal term and without right to receive no kind of compensation for that reason. Therefore, it is recommended that the user value a priori these performances that the social network can make with these contents.



That the published contents are property of third party. When a user decides to share within the social network, a determined work that the ownership is of a third party, does not have to forget that the platform acts in principle like mere intermediary, reason why the responsibility of the publication of this content falls directly on the own user.

Social networks and collaborative platforms have a great diffusion, and for the authors this form to distribute their contents can be very advantageous. Nevertheless, the Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 102 of 143

Instituto Nacional de Tecnologías de la Comunicación

main problem that can be raised is that there are no effective forms to control and to obtain a direct compensation by the work made. On the other hand, and independently of the ownership, the risk exists from which the contents (own or other people's) published by the users in the platform can be indexed by the motors search of Internet, which would entail that the diffusion was greater and therefore than the number of reproductions increased of exponential form, increasing, consequently, of direct form the compensation to the holder of the rights. Finally, the third moment at which the rights to intellectual property can be seen put under a possible risk derived from the use made in this kind of platforms, is in the phase of unsubscribe of the service by the user. Upon this sense, it agrees to distinguish the situation of social networks based on profiles and the platforms of contents, since, all the contents associated to the profile of the user: photographs, videos, works literary, etc., will be eliminated, or the access to such, will be blocked at least at the moment at which the user asks for the unsubscribe of the service. Nevertheless, in the case of the platforms of contents, the members can get to publish works without being associated directly to their profile, which can cause that, although the user asks for the unsubscribe of the service, the content publicly remains accessible. The cession of rights in favour to the platform would continue effective, reason why this one will be able to continue benefiting from the contents given by the users. 3.3.4

Groups specially protected. Underage and legally incapacitated persons.

With regards to the group of underage and legally incapacitated persons the Real Legislative Decree 1/1996, of 12 of April, that approves the Text of the Law of Intellectual Property (LPI) does not establish any special part in respect to the minors and the right to responsibility, could being able to be author of a work of intellectual property, any person independently of its age. Nevertheless, we have to consider that this Law states that “authors under eighteen years and greater than sixteen, that live independently (with the consent of their parents or guardians or with authorization of the person or institution who has them to their position) have the total capacity to yield operation rights.” It will be therefore necessary that those platforms, to accept the registry of users under 18 years, authenticate its majority of age or that they live on independent form according to the requirements arranged in the effective legislation. Other cases: Workers

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 103 of 143

Instituto Nacional de Tecnologías de la Comunicación

With regards to the workers, the LPI establishes in their articles the 51 100 (with respect to the labor relations) and 97 (computer programs) forecasts for the subject work accomplishment to a labor relation and the legitimate holder to whom belongs the responsibility that, except for pact in opposite, usually is of the employer or legal person that publishes it. For the authors who are under a labor relation, it indicates two conducts from which a series of risks can be derived: •

First of the assumptions to analyze, includes the case in which a worker discloses by means of a social network that is working in a certain work or that anticipates of previous form its launching. These conducts can injure its rights to intellectual property and entail its vulnerability of the norms expressed in the Criminal Code, since the authors of the work, on its moral right, must be able to decide if publish or not this information, and at what time (without entering considerations of market and competitive disadvantage). In these cases, it is available a work that has not been finished yet and, in addition, that it has been obtained by an illegal form, reason why the exception of the private copy, cannot be exposed. Such case of revelation of contents would suppose the dismissal of the worker and the possibility of civil demand to the holders of the disclosed work.



The case of the applications development will govern the article 97 LPI, arranges that, in the case in which a wage-earning worker creates a computer program 101 during his day of work and do this using the means of the average, the software will be of the ownership of the company.

3.3.5 Measures to protect the rights to intellectual property of users and third parties. As it has been mentioned, the Law 34/2002, of 11 of July, Services of the Society of the Information and of Electronic Commerce (LSSI-CE) for the case of Spain like Digital 100

Sentence of the Room of the Civilian of the Supreme Court of 29 of March of 2001, has been clear when it has affirmed that from the Art. 51 LPI that the creation and cession of an author work can be carried out by means of the contract of work and with subjection to the labor legislation; of such form that when the result of the work is an author work the cession of this one does not have why to include to the integrity of the rights of intellectual property, but only to main or the most excellent ones than they are those of operation of the same in attention to its present time. Indeed in that rule it is indicated that the fact that the industralist does not show such absolute property on the fruits of the work - in this case of a worker who creates an original work does not prevent that this contractual relation is formed like a labor relation. Thus, the heading of the mentioned rule of the LPI is clear when employee talks about to “the transmission of the rights of the author”. 101

The applications generated for the social networks are still software, the única difference that has with respect to the traditional programs más, is the language of programación used in the same.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 104 of 143

Instituto Nacional de Tecnologías de la Comunicación

Millennium Copyright Act (DMCA) in EE.UU, use the system of report for an infraction of rights to intellectual property, by means of which the user can internally notify the administrators of the platform that exists a non authorized operation of rights to intellectual property, so that this one can verify it and in its case of retiring the content. In this sense, and so and as some of the analyzed platforms, exist bilateral agreements with associations of authors and great owners of organizations owners of the rights to exploitation, by means of which those that are the own holders of the rights to exploitation are in charge to watch, to review and in its case of retiring the contents that harm their rights. This measurement equips to each one with the holders with privileged accesses the platform, as well as labeled authentication codes and of its works, of such form that are detectable of simple form and a fast and effective performance is allowed. Similarly, lately it is being observed like more and more the great companies of the industry of contents are reaching bilateral agreements with the platforms from diffusion and social networks to open channels in which to lodge and to publish they themselves its contents, like countermeasure in front of the indiscriminate and uncontrolled publication of contents of its property on the part of the users. Of this form it is not avoided that they are published in the network, but the control of the published contents is made. This kind of measures supposes a clear representation that the market is changing and of that the intervening agents are beginning to note in the Society of the Information, an opportunity and not an obstacle, which without a doubt some augurs good results in the next years, and as it recently exposes the study published by ASIMELEC, on “the Industry of the Digital Contents 102 ”. On the other hand, the Court of Justice of the European Communities has affirmed that the States members when incorporating to their legal systems the directors who protect the rights to intellectual property, in the Society of the Information, must guarantee a right balance between the rights to the protection of personal data, the judicial trusteeship and the property 103 . Recently, the Study of the European Parliament, that discarded to grant “a similar as the police officer power” to the Internet providers, have received the support of the European Commission, indicating that the operators “cannot restrict the access of the web surfers 102

103

More Information: 2008 Report Digital Industry Contents. ASIMELEC STJCE de 29/01/2008. Case C-276/06. Promusicae.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 105 of 143

Instituto Nacional de Tecnologías de la Comunicación

nor the fundamental rights to the citizens without previous a judicial authorization” 104 , although the proposal is pending of definitive approval. In the same way, and from the public point of view, in Spain, the Ministry of Culture approved the integral Plan of the Government for the diminution and elimination of the activities against the intellectual property, published in the BOE of 26 of April of 2005 105 , that is based on the fight against the piracy. Thus for example, they are being centered in the platforms of illegal sharing of contents. The Record and Audio-visual Industry has formed what they themselves have denominated “the Coalition”, formed by SGAE, Promusicae (AIE and AGEDI), the Federation for the Protection of the Intellectual Property, the Association of Cinematographic Distributors (ADICAN), the Association of Distributors of Videos (ADIVAN) and EGEDA, whose purpose is in fomenting the protection of the rights to the authors that represents, showing special attention the vulnerabilities that have their origin in the services of the Society of the Information. On the other hand, the Spanish Agency of Protection of Data has formulated recommendations on the necessity of approve a Law that allow to protect the intellectual property of authors in conjunction with the personal data protection 106 . 3.4

Protection of Users and Consumers

The advances of social networks and collaborative platforms are modifying the commercial practices, redefining the way to offer goods and online services by means of the hyper contextualized publicity according to the user profiles, being diversified the market and creating new channels of distribution. These new business models are based on the electronic commerce can wake up a certain degree of uncertainty in the consumers, around questions relative to the security of the electronic transactions, to the improvement and validity of contracts, to the applicable law or the competent jurisdiction in case of litigation, among other questions. The following sections deepens in the analysis of these aspects informing about the normative instruments and technological measures that exist at the moment of the service of the consuming users/of goods and services through Internet to surely guarantee surroundings of economic traffic and reliable that guarantees the total legality and

104

More information at Consumer Eroski Tecnologías de la Información

105

More information at www-mcu.es

106

Memory AEPD 2007, legal advice 2ª.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 106 of 143

Instituto Nacional de Tecnologías de la Comunicación

transparency in the process of product purchase through Internet, in general, or of any social network or collaborative platform. 3.4.1

Definition of the right

By consumer is understood as the physical or legal person “who takes part within a commercial activity, with the intention of acquiring a product or service to a determined price, or is through habitual commerce or by means of transactions of electronic commerce”. To the effects to determine what is understood as distance “celebrated contracts”, it is necessary to take care of the following definition: “the celebrated contracts at a distance are those celebrated with the consumers and users within the framework of an enterprise activity, without the simultaneous physical presence of the contractors, whenever the supply and acceptance are made of exclusive form through any technique of remote communication and within a system of hiring at a distance organized by the seller” 107 . The law has many means through which benefits of remote services can be made, being most habitual: “the forms, with or without concrete addressee, the standardized letters, the publicity in press with order coupon, the catalogue, the telephone - with or without human intervention the radio, the telephone with image, video-text with keyboard or touch screen, the electronic mail, the fax and the television”, among others. Thus, the rights to the consumers and users, with regard to celebrated contracts at a distance, so and as the Title III Real Legislative Decree 1/2007, of 16 of November, General Law for the Defense of the Consumers and Users is approved and other complementary laws, include/understand the following principles: •

Right to information.



Right to abandon.



Minimum warranties of the product.



Commercial communications and false advertisements.

3.4.2

Applicable Regulations: Regulation and its evolution

The effective norm applicable to the sector of consumers and users intends to safeguard the rights to the users and the fulfillment of the obligations imposed between the intervening parts. 107

Concept stated in Law for the defense of users and consumers.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 107 of 143

Instituto Nacional de Tecnologías de la Comunicación

International Regulations At an international level there is not an express agreement over the matter. Nevertheless, recommendations and assimilated guides of the OECD coming from the different meetings between the Commerce Ministers of States. Among them it emphasizes the OECD Consumer Protection Guidelines (the OECD Guide of Protection of Consumers), approved in September of 1998 with a programmatic purpose in which the basic principles settle down stops: •

To control the fraudulent commercial conducts.



To resolve controversies and to give back objects.



To assure the privacy the data of the consumer in the electronic transactions.

In EE.UU, from the point of view of the services of Internet in the matter of protection of consumers and users, the competent organ is the Federal Communication Commission (FCC) although, to date, it is not had a regulation to general level to the defense of this group. European Regulations At an European level, the effective legislation in the matter of protection of consumers and users is arranged in four Directors: •

Directive 93/13/CEE of the Council, 5 of April, on the abusive clauses in contracts celebrated with consumers.



Directive 99/44/CE, of 25 of May, the European Parliament and the Council, on certain aspects of the sale and the guarantees of the consumer goods.



Directive 97/7/CE of the European Parliament and the Council, 20 of May, relative to the protection of the consumers in the matter of contracts at a distance.



Directive 85/577/CEE of the Council, 20 of December, referring to the protection of the consumers in the case of contracts negotiated outside the commercial establishments.

In addition, the Directive is 2000/31/CE of the European Parliament and the Council, of 8 of June of 2000, relative one to certain legal aspects of the electronic commerce in the inner market, object of transposition in Spain in present Law 34/2002,

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 108 of 143

Instituto Nacional de Tecnologías de la Comunicación

of 11 of July, Services of the Society of the Information and of Electronic Commerce (LSSI-CE), ordered to regulate the benefit of services of the Society of the Information. National regulations Chronological is due the Law 7/1996, of 15 of January, Arrangement of Retail Commerce, whose object of regulation are the remote sales, settling down that they are that kind of sales that are made “without a simultaneous physical presence” of the parts, whenever essential actions of the contract, like the sale and the acceptance, are made by any way of remote and carried out communication within a system of hiring organized by the seller. The Real Legislative Decree 1/2007, of 16 of November, the General Law for the Defense of the Consumers and Users and other complementary laws, without damage of the arranged things by the LSSI-CE with regard to the electronic hiring, arrange what information must appear in the remote sales of clear form, comprehensible and unequivocal, before initiating the hiring procedure: •

The identity of the salesman or lender of services and his direction.



The essential characteristics of the product or service.



The price, including all the taxes.



The payment method and modalities of delivery or execution.



The existence of a right to dropping of the claim or resolution and the causes



The cost of the use of the technique of remote communication, when it is calculated on a base different from the basic tariff.



The term of validity of the supply and the price.



The minimum duration of the contract.



In case, that the salesman arranges or it is adhered to some extrajudicial procedure of conflict resolution.

When the user is simultaneously a consumer immediately obtains the rights contemplated in the legislation for consumers and users, who cannot be waived and them will be exerted automatically, although the applicable legislation is not the Spanish. This will happen if there is a contract establishes a narrow bond with any State member.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 109 of 143

Instituto Nacional de Tecnologías de la Comunicación

Remote agreements can be made including general conditions, which will have to be builtin to the contract, to be accepted by the user and to be signed or to be accepted by both parties. The general conditions will never prioritize over the specific ones, unless the generals are more beneficial for the adherent. The doubts on the general conditions always will be solved in sense that favors the adherent. In this sense, it is has to be applied the Law 7/1998, of 13 of April, of General Conditions (LCGC). The uses of general conditions are frequent in the online commerce. One is adhesion contracts in which consuming users/do not have any kind of capacity of decision and variation of the clauses, having to accept, in any case, the conditions that the seller had arranged. It is by that the effective law tries to increase the level of protection of the consumers/users of this kind of procedures of subscription to services. The general clauses will not be introduced in the agreement that the adherent has not had real opportunity to totally know, article 7 of the LCGC. For that reason, in electronic contracts, it is important to make know its existence and location, as much at the moment of the company/signature, before the initiation of the company/signature process. In addition, the clauses will have to be legible, clear, simple and comprehensible, not to run the risk of invalidity gathered in article 8 of the LCGC. When some clauses are considered null, but with the rest and the individuals the contract can continue subsisting, this one will not be considered ineffective. Finally it is possible to emphasize the arranged thing by the specific norm to the regulation of the electronic commerce in Spain, concretely in Law 34/2002, of 11 of July, Services of the Society of the Information and of Electronic Commerce (LSSI-CE), in which one arranges that “the contracts celebrated electronically, will produce all the effects when the necessary consent and the other requirements for their validity concur”. In addition, the Civil Code, the Code of Commerce and the laws before will enforce them. 3.4.3

Possible risk. ¿How do these rights could be affected?

In some cases the possible risks of a consumer -as user of social networks- can be assumed by the own user, since is the user who maintains the control of the information lodged in the platform or social network, which by a voluntary form has been registered in. Based on its activity, every supplier established in Spain must fulfill certain obligations that the LSSI-CE establishes, with the purpose of guaranteeing that its activity is made with total transparency, without harming the rights to the users. Thus, the Article 10 LSSI-CE gather a series of obligations in charge of the service providers of the Society of the Information, with the intention of preserving the right to

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 110 of 143

Instituto Nacional de Tecnologías de la Comunicación

information to consumers and users, in respect of the goods or services that are provided. Specifically the user, must inform about: •

Name or social denomination, address, direction of electronic mail and any other data that allows the contact.



The data of inscription in the Mercantile Registry.



Data relative to authorizations, in case of being subject to it.



If the provider practice a regulated profession, it will have to indicate: the data of the professional school, official academic degree, place of expedition and homologation, and if it is the case; professional norms applicable to the exercise of its profession.



The tax identification number that corresponds to him.



Clear and exact information about the price of the product or service, indicating if it’s the TAX included and, if its the case, the expenses of shipment.



The conduct codes to which it is adhered.

Another possible risk in which a consumer can be faced with, is the referred to deceptive advertisements, which it consists in the manifestation carried out as illicit publicity and made by any form that it induces or that could induce the consumers to commit an error, and being able to affect his economic behavior or to harm the advertiser’s competitors. On this matter, the Law 34/1988, of 11 of November, of General of Publicity determines all the elements that characterize the deceptive publicity (characteristic of the goods, price, conditions and reasons of the offer). The acceptance of the general conditions constitutes another fundamental aspect to consider by the consumer before agree with the service offered through a collaborative platform or social network. As it has been indicated, the own legislation establishes the obligation to inform to the user in a clear manner the needs over the conditions on which the parties must be yield to. However, the appearance of abusive clauses in a contract constitutes a defect with transcendental legal implications between the parties. The own norm defines as abusive clause the following one: “All those stipulations non negotiated individually and all those practices non allowed specifically that, against the exigencies of the good faith, cause in damage of the consumer and user an important imbalance of the rights and obligations of the parts that are derived from the contract”.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 111 of 143

Instituto Nacional de Tecnologías de la Comunicación

In any case, every contractual clause that limit the basic rights to the consumers and users who are well-known as out of proportion in relation to the service provider or who prevail of the enjoyment of the rights who the own norm grants, will have the character as an abusive clause. The development of the new technologies, together with the growth of the commercial activity through Internet, has given rise to new abusive practices derived from the breach in the legal dispositions that, in more extreme cases, derive in the commission of crimes sanctioned by the criminal law. It is obvious that any person who raises the Network with any kind of information or archives –being/or not a service provider- is responsible of the licit precedence of the services or products offered. 3.4.4

Specific Cases. Underage and legally incapacitated persons.

Normatively, the LSSI-CE establishes that, in case of accessible pages focused for underage people, they do not have to integrate contents that attempt against the protection to the childhood and of youth. There is software that filters and blocks content in order to control and to restrict the contents or materials to which the underage people can access. In any case, it is recommended to guide the children on how to surf by the web. 3.4.5

Measures to protect the rights of users and consumers

At the moment the measures used by the online platforms that operate as sites of electronic commerce or that can be seen put under the law of consumers are: The systems of electronic identification based on certificates of a recognized electronic company/signature, are beginning to being used by the platforms of average electronic commerce as a measure for guaranteeing the commercial transactions that consumers make. The implementation and use of this kind of systems allows so much to the consumer as to the store of electronic commerce to guarantee: •

The identity of the person whom it buys and the one that sells.



The integrity of the Lent’s consent.



The “No repudiation” of the transaction.

By this form, any consuming user/who buys through Web site: Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 112 of 143

Instituto Nacional de Tecnologías de la Comunicación



Has a total security of which the holder of the dominion name and of the store online, is the company that really sells products or services.



It can show that in a specific day, in a specific hour, has expressed its consent and paid an amount guaranteed in exchange for the shipment of a product.

On the other hand, the seller has guaranteed that: •

The technological capacity to electronically accredit the date and hour of when the consent has been lent by the user.



The acceptance by the user/consumer of the general conditions exposed in the Web site.



In case that the user denies that he was he who lent the required consent, the user will have to demonstrate it, being reflected therefore the “not repudiation” before mentioned.

In this sense, is essential to consider that the total implantation of this kind of systems of electronic identification will be applied totally at the moment in which the electronic DNI reaches a global penetration on national and European citizens, moment at which the development of the Society of the Information will be sustained in more solid principles of security, identity and integrity. In the same way, the great majority of the analyzed platforms that count with procedures of electronic purchase, resorts to the installation in their servers of a protocol of safe port, (Secure Socket Layer or SSL), that guarantees to all its users that the communications, requests and information transmitted between the Web site and the user, are not accessible by a non authorized third party. As well, all the platforms that integrates electronic commerce have a Terminal Point of Sale - TPV- of electronic payment provided by the financial entity, that puts under a procedure of electronic payment a protocol of security, properly certified to guarantee the establishment does not have access, neither conserves, nor deals with the data credit cards for the users. On the other hand, the clear evolution of the platforms in relation to the alternative means of payment that totally guarantees the security of the transactions and that anticipate insurances of responsibility for the case that the product are not received or that the transaction undergoes some kind of error.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 113 of 143

Instituto Nacional de Tecnologías de la Comunicación

It is possible to emphasize services like Paypal, pertaining to the group of companies of Ebay Inc., that make available means of safe payment, based on directions of electronic mail and credit cards, that guarantee to the users, an economic insurance for all and each one of the transactions that carry out through this system. In the same way, it supposes a guarantee for the consumer/user to have available the general terms and conditions, where all the clauses relative to the guarantees are arranged, as terms of return, prices, shipping, among others. However, at the moment this guarantee is not totally implemented, as it has been analyzed in the elaboration of this Study, by not having legal documents that fulfill a strict form with the obligations arranged Law 1/2007, of 16 of November, the General Law for the Defense of the Consumers and Users is approved and other complementary laws.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 114 of 143

Instituto Nacional de Tecnologías de la Comunicación

4

PROPOSALS AND RECOMMENDATIONS ADDRESSED TO THE AGENTS PARTICIPATING IN SOCIAL NETWORKS

Social networks and collaborative websites have revolutionized the Internet, providing the users uncountable benefits. However, it becomes more and more necessary for their agents to take into account certain aspects related to the security and the protection of the users, in order to ensure that the use of this kind of services will benefit everybody. Thus, in order to properly protect the final users, it is necessary for the main agents of the value chain to consider the correct application of some recommendations addressed respectively to social networks and collaborative platforms (respect of legal and technological requirements), the ISP services and the internet access providers (respect of technological requirements and of the security of the users), the producers and the providers of informatic security services (respect of the necessary tools to ensure the security of the users), the Administration and the Public Institutions (respect of the legislative measures; respect of the awareness and the training of the users as well as the agents of the market) and the users (correct use of such platforms). In this respect, the following aspects will be emphasized: •

The knowledge and the assessment of the fulfillment level of the current Spanish and European legislation by social networks and the collaborative platforms.



The knowledge and the assessment of the security systems implemented by social networks and similar platforms, to protect the users.



The knowledge and the assessment of the sociological implications that social networks and similar platforms are entailing in the habits of the users.



The obtention of national and international statistics regarding the way underage users are using social networks as well as their legal protection and the technological situation in this respect.

Based on interviews conducted in the sector, as well as on round tables gathering specialists in Technological Law and the Security of Information, and other ones respectively bringing together underage and adult users, here are exposed the main proposals and recommendations the agents of social networks should consider.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 115 of 143

Instituto Nacional de Tecnologías de la Comunicación

4.1

Proposals and recommendations addressed to the Industry

4.1.1 Proposals and recommendations addressed to social networks and the collaborative platforms It has been repetitively demonstrated that social networks and platforms which generate and maintain the highest degree of trust among their users are the ones that are currently triumphing and are being considered as references, at the local and international level. The following proposals intend to provide social networks and platforms basic recommendations that are essential for them: a) to comply with the European and national legalizations, b) to ensure the protection of their users, c) to be aware of the legal and technological implications conveyed by the execution of certain practices, d) to identify the technological tools necessary for their services, e) to increase the level of awareness related to the necessity to improve the security and the protection of the users. The recommendations exposed hereafter had been deduced from the interviews and the round tables previously mentioned and had been classified in two blocks or levels: Technological and Security Recommendations Transparency and easiness to access the information Through the analysis and the revision of the platforms with the highest number of users registered at the national and international level, it appears necessary to improve their level of transparency and to facilitate the access to the Users Conditions of their service. In this respect, it is fundamental that these kinds of platforms display all the information related to their services in a clear and understandable manner, in a way that the language employed in their User Conditions and Privacy Policy will be perfectly understood by any kind of users, letting him or her know what are his or her rights and obligations while using their services. In addition to this measure, it is essential that social networks spotlight in their pages a specific section intended to inform the users, at any time of their navigation, about the User Conditions and the implications of their actions while using the platforms. In order to reach the highest level of efficiency, it is advised to create “microsites” 108 with direct access from the homepage of the social network, in which is displayed the 108

Small websites with specific contents that depend on another one.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 116 of 143

Instituto Nacional de Tecnologías de la Comunicación

relevant information via FAQs sections or multimedia contents (videos, slide presentations, etc...) that will allow the users to get to know in a simple and understandable way what are the implications of their actions while using these platforms, as well as their rights and obligations. Finally, it has been noticed that every social networks and platforms reserve the right to make changes of their User Conditions and Privacy Policy at any time without warning the registered users or asking for their acceptance. As for this matter, it is essential that social networks maintain their Privacy Policy and User Conditions without any significant changes for their users, unless asking previously for their agreement, enabling them to opt out easily and effectively. Guaranteeing the users an absolute control over the processing of their data and the information published on the web Considering that social networks are free to operate from any place, it is recommended that they comply with the European and the relevant national legalization, in order to improve the well-being and the trust of their users and of the European authorities. As indicated previously in the study, the platforms should guarantee to the users a complete control over the information they publish about themselves on the network, putting at their disposal the greatest number of technological tools, aimed at ensuring this right in an automatic, simple and quick way. Thus it is essential for collaborative platforms to implement, as many social networks already did, tools that will allow: •

To exercise automatically the rights to access, rectify, cancel and oppose personal data, published in one’s profile or in the one of another user of the network.



To always inform explicitly on how and what for one’s personal data or information published on the network will be used.



To limit the possibility to tag the users on the network, in such way that any person tagged with his or her name receives automatically a request to accept or refuse it, preventing in the last case to publish and process the unauthorized data.



This measure should be associated with a tool that will allow users to withdraw any content that displays any personal data or information.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 117 of 143

Instituto Nacional de Tecnologías de la Comunicación



That the implemented flagging systems allow the users to opt out and block the access to the denounced contents. This process should be completely automatic and of immediate application.



To configure by default the top-level privacy of the user’s profile, letting him or her keep it as it is, considering his or her preference.

In order to avoid the processing of non-authorized data by searching engines, the platforms should include in their HTML code some consistent changes to prevent the searching engines to index the users profiles, unless authorized by the user him or herself. This will guarantee a better control of the information published on the web, avoiding it to be accessible by anyone that is browsing on the Internet. At last, and with the objective to control the published contents and their ownership, the platforms should consider protecting the rights of intellectual and industrial property when it comes to contents published by third parties on the network. In this respect, it is highly recommended for social networks and platforms to: •

To have flagging system that will allow the users to denounce the existence of contents protected by the right to authorship, that have been published without the consent of his or her author.



To have the staff or some automatic systems that will effectively prove that the contents are subject to intellectual rights (such as DRM or metadata in their own contents).



To inform the users of the nature of the rights to authorship and the importance to respect them for the correct use of the service, through general conditions of registration, FAQs, automatic warnings sent before the contents that might be subject to intellectual property rights are being published,

Guaranteeing the technological security of the platform The persons in charge of collaborative platforms should be aware that their services are mainly based on the sharing of data that might be personal. They should protect their networks against potential attacks. It is fundamental they choose a reliable Internet Service Provider (ISP) 109 , that will ensure the highest level of security. The ISP should guarantee at least the following aspects:

109

The services provided by the ISP should be secured by back-up systems, reliable server, secure accesses, etc...

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 118 of 143

Instituto Nacional de Tecnologías de la Comunicación



That their DNS services 110 should be completely secure and should not present any kind of vulnerability, since a failure of their security systems would mean a potential threat for the platform. If the DNS server is attacked it might redirect the users to a fake and undetectable website, which would mean a serious risk.



Employing for the servers and in their own application tools especially made to detect, avoid and block phishing and pharming cases, warning the users of the security and trust levels of each communications received through the platform.



Employing tools to avoid spamming. As indicated in the study the spam have been exponentially used within social networks, because of the potential viral effect they are conveying. It is necessary that the persons in charge of the platforms take measures within their scope of action to reduce the number of undesired emails.



Because the legislation, in some States, seeks to limit the access of social network to underage users, it is recommended to implement technological measures to verify the age of the users, such as: the electronic signature or applications that will detect the websites most visited by the potential user and thus determine approximately his or her age.



To have tools that will prevent cases of identity stealing, allowing the legitimate user to get back his or her access and block the other user.



To have systems that will let the user know the level of security of the password he or she had chosen when registering, indicating them as well what they should do to increase this level. It is also recommended to employ unique systems to identify the users, independent from the service they want to access. This way the security efforts would only have to focus on the identification system.



Employing systems to encrypt the content of the platform, so that the information shown on the website for each user will be inaccessible by a third party. It is recommended to implement a secure connection through Security Socket Layer

110

The IP address is formed by a succession of numbers between 0 and 255 divided in four groups and separated by dots, which identify a computer connected to the Internet. This system is of course not used for browsing because of the difficulty it would mean to remember these numbers by heart. The DNS (Domain Name System) translates these numbers in web addresses, as we use them in our browser, that are easy to recognize and remember.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 119 of 143

Instituto Nacional de Tecnologías de la Comunicación

(SSL), that allow the user to detect via the padlock of his browser or the “https” of the address, that he or she is under encrypted connection. •

Employing technological tools that will prevent any user from downloading any information published by another profile, this being independent of the kind of information published on the network. It is recommended to limit the automatic download of personal information, such as photographs or videos on the users´profiles. Otherwise, massive downloads would be possible, with the potential creation of independent database, which might have serious consequences. However, it is recommended not to completely prevent this possibility but in that case to ask the user if he or she allows his or her contents to be downloaded by third parties.



It is recommended that social networks and collaborative platforms that allow and encourage the systems of nicknames allow at the same time to create real “digital identity” from them.

Recommendations for the training and the awareness of the users regarding their security. The role of social networks It is fundamental that social networks encourage the users to know more about their own security while using their services. These ones are based on the sharing of personal information. It is therefore essential for the users to rely on specific recommendations on their security and to be sure that these services are completely secure. In this respect, social networks and the collaborative platforms should encourage the awareness and the training of their users when it comes to the protection of their privacy, their intimacy and the protection of their personal data, the protection of intellectual and industrial property, and, in a specific way, the protection of underage users. Thus, it is particularly relevant to follow the following proposals: •

Development of contents informing the users about the processing of their personal data, the advertisement systems used in the platform, the potential threats they might face while using this id of online services, and the implications the publication of contents in the social network might represent.



Displaying information related to the security on the platform and the measures the users might take in case of infringement of their rights.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 120 of 143

Instituto Nacional de Tecnologías de la Comunicación



In this respect, it is recommended for social networks and the collaborative platforms to: o

Realize training programs in which the most frequent conflicts while using the platform are being studied. It is recommended to resort to online videos and graphical materials for the users to understand easily the ideas conveyed by them.

o



Reach agreement with the relevant national and international authorities to encourage the training and the awareness of the users when it comes to the security on the Internet.

Taking into account that the majority of the users are underage, it turns out to be fundamental that social networks and the collaborative platforms together with the public authorities and the associations and organizations dealing with the protection of minors, carry out initiatives encouraging the training of underage users as well as their guardians regarding the security of users, investigating the possible existing technologies to identify the age of the users while using the service.



As indicated by some providers, it might be recommended to carry out volunteering programs inside the company in order to collaborate with schools and training centers to spread the importance of the security, as well as to inform the users on the main recommendations to take into account while using the services.

4.1.2 Proposals and recommendations addressed to the manufacturers and the providers of computer security The role played by computer security providers and manufacturers is essential when it comes to the protection of the users, since they are providing technological tools able to avoid, or to reduce in some cases, the unfavorable situations that might derive from the use of these platforms: online fraud, phishing, pharming, identity stealing, spamming and diffusion of inappropriate contents. In this respect, the manufacturers and the providers of security should take into account two key aspects to reach the maximum level of security: •

Online fraud prevention. It is essential to adopt a proactive position in this respect by developing software able to guarantee the security of the users of the platform. This effort should not only focus on social networks, but also be extended to all the agent taking part in the process, to reduce the number of security holes.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 121 of 143

Instituto Nacional de Tecnologías de la Comunicación



Investigation and developing technological security. It is essential to carry out a constant investigation activity when it comes to online security, developing new tools able to prevent or control situations of risks.

It is also essential that the manufacturers of security solutions and services encourage in their sector the following aspects: •

That the marketed applications implemented in social networks have been developed, revised and evaluated in accordance with the quality, security and privacy standards that guarantee their use is respectful and secure towards the users´ rights. Their proper functioning should also be reviewed.



The companies dedicated to security should encourage the interoperability of their security systems, promoting the implementation of standard protocols and systems in social networks that will guarantee the compliance of pre-established codes of conduct. In this respect, it is recommended to collaborate directly with the Security Forces of the State in the investigation of new situations of risks for the users, in order to develop applications able to detect, act and counteract any unfavorable situations for the users of the platform.



It is recommended to the manufacturers and the providers of computer security to be proactive when detecting the malicious programming codes that allow security holes in the platform, as well as when elaborating Black Lists, in which will be included the domain names that are presenting unauthorized contents, or that do nott abide by the security criteria previously mentioned.



It is recommended for the manufacturers to develop security patches and updates to guarantee that the persons in charge of the platform as well as the users are using entirely updated and secure applications.



In this respect, it is recommended for these manufacturers to develop applications that comply with international standards.



It is recommended to develop remote applications that allow the guardian to have the complete control of the contents and the operations realized by underage users on the Internet. It is recommended to develop applications that will allow the guardians/the parents to: manage and/or monitor the contact lists of the underage users when it comes to instant messaging services, blogs, social networks and/or similar services; to know

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 122 of 143

Instituto Nacional de Tecnologías de la Comunicación

the websites the minor is visiting or tries to visit; to limit the access of inappropriate websites for underage users; to obtain information related to the activities of the minor on the network and to allow different levels of supervision depending on the age of the minors 111 . Through this kind of application and the promotion realized by the manufacturers and the platforms, an effective result might be reached regarding the control of underage people on the internet, as well as their security regarding the dangers of the Internet. •

To include in the technical descriptions of the software that process personal data, the technical description of the basic, medium and high security level mentioned by the LOPD (Legislation on the personal data protection).



It is also recommended for the manufacturers of security software together with the relevant public administration to encourage the development of tools dedicated to reduce the reception of spam through social networks and similar platforms. In this respect, it is necessary to take into account that social networks are turning to become big sources of information from which might be generated commercial databases with high level of virality.

4.1.3 Proposals and recommendations addressed to the Internet Services Providers (ISP) The ISP are hosting social networks in their servers and are providing connectivity to them. In this respect, it is recommended to: •

Create reliable and secure communication platforms with the Security Forces of the State, the Attorney General and the Judicial Authorities in order to save time in the emission and the reception of any notifications from these agents.



Give entire support to the Security Forces of the State when reclamation is made.



To inform the users and the direct clients on the security measures implemented for the service they are using. Thus it is fundamental that they guarantee the integrity of the databases as well as the security of the DNS servers in order to reduce or prevent phishing or pharming cases.

111

The system developed by Microsoft Inc allows the guardians/the parents to know, authorize and limit the access to webpages and to specified contacts through social networks, instant messaging systems or other online services. For more information, visit the website “Windows Live: Familial security”.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 123 of 143

Instituto Nacional de Tecnologías de la Comunicación



To immediately attend blocking complaints when the sender is clearly identify, taking into accounts the kind of infringement. To immediately inform the Security Forces of the State

4.2 Proposals and recommendations addressed to the Administrations and Public Institutions The Administration and the Public Institutions, since they guarantee the rights of the people and thus of the million Internet users, should encourage the following proposals and recommendations regarding the normative, technological and security aspects as well as the awareness and the training of the users 4.2.1

From a normative point of view

The consulted experts all agreed on the fact that any norm, which regulates the technological aspects of the Information Society, should follow the “technological neutrality” rule, so that the regulated aspects will cover any particular situations, without depending on the technological characteristics they might involve. They also underlined the need to align the normative requirements of the digital world with the physical one, so that the conditions for the provision of digital services will not be more burdensome than the ones in the real world. However, very few considered that the legislation should be completely reviewed but they asked for a better interpretation of this one. All of them agree on the following aspects: Protection of Personal Data, Intimacy, Honor and Image The norm related to the protection of personal data, intimacy, honor and image in Spain is very much advanced compared to the one existing in other States of the Union. However, it is recommended: •

The relevant authorities should promote the elaboration of studies, recommendations and rulings that will periodically analyze the most used Internet services, so that the analysis of the Information Society will be constantly updated. Thanks to theses studies, the Administration and the Public Institutions should propose recommendations to the providers of theses services in order to improve their quality.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 124 of 143

Instituto Nacional de Tecnologías de la Comunicación



The international community, or at least the European Union, should encourage the respect of basic norms; independent from the place the agents are operating, so that the users might rely on a global legal security.



The sanctions towards the illicit use of information should be effectively executed.



The international legislation concerning those matters should be harmonized, so to correctly protect the users on the Internet

Intellectual Property Through the revision of the main platforms that are operating in Spain, as well as through the consultations realized on intellectual property and the Society of Information, it has been detected that all the legal notices establish the compulsory cession of the intellectual property rights to the platform. Thus it is recommended for the normative authorities to: •

Encourage, or oblige, this kind of platforms to make public or al least to emphasize that the contents published on their network will become their property, before any users publish any content on this one.



Social networks are turning to be platforms where the users can embed contents published on other digital platforms (videos, photographs, etc.). Thus the intellectual property rights should be extended to this kind of conduct.



It is recommended that the relevant authorities promote, from a normative point of view, direct agreements between the musical and audiovisual industry and the most important platforms of content diffusions, in order to determine objective, controllable and quantifiable criteria to allow the verification and the payment of the licenses of use related to the published contents.



It is recommended to oblige the providers of Internet services to implement simple, free and efficient systems to denounce the infringements of intellectual property rights.



The norm on intellectual property is based on the right to authorship and the interdiction to use protected contents without authorization.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 125 of 143

Instituto Nacional de Tecnologías de la Comunicación

It is recommended for the legislation on intellectual property to be submitted to a serious adaptation, based on the maximum permissiveness possible. However, a fair remuneration should be guaranteed to the owners of the intellectual rights, so that they will be compensated for the efforts involved in the creation of their work. Consumers and Users •

It is recommended that the legislator define clearly the relevant authority that will attend the complaints of the consumers and the users, when it comes to the use of this kind of platform and more generally to the use of the Internet. The main problem for the users when they want to complain about commercial transactions realized on the Internet, is that the cost to make a complaint, as well as the time to solve it, are very high. In addition, the quantity of money implied is generally very low. So it does not encourage the users to file complaints. It is recommended for the public authorities, together with social networks to create a new organism able to offer the users valid and cost free solutions in those matters.



When it comes to social networks or platforms operating for Spain but from a different location, it is highly recommended to implement efficient mechanisms, from a temporal and economical point of view, regarding the possibility to block the access to the online platform, when it has been clearly proven that the published contents, the commercial proceedings or the General User Conditions are infringing the applicable law, provoking a serious damage to the users.



It is recommended to work on the harmonization of the rights of the consumers and the users at the international level, so that any user or consumer will know what are the minimum conditions required to run any platform and will be able to denounce any situation that will break his/her basic rights, without depending on the place he or she is, or the platform where she or he realized the transaction. This implies to create uniform rules, that will regulate the e-business at the international level, and that will make available a package of global and general conduct. Thus it is recommended to adjust the International Private Law to the new reality of the Internet, so it will be easier to determine the applicable legislation and the competent organ to solve litigious cases.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 126 of 143

Instituto Nacional de Tecnologías de la Comunicación

4.2.2

From an executive and administrative point of view

The following recommendations are addressed to the Public Administration with the objective to guide the implementation of supportive, promotional and performing measures in terms of security of the services provided by the Information Society: •

Specific training in terms of Technological Law directed to judges, magistrates, forensics, district attorneys and judicial secretaries and any other member of the Public Administration that might take part in the cases related to the services of the Information Society, allowing them to know sufficiently how these services are working and what are their main characteristics and problematic, so they can determine in a clear and adjusted manner what are their legal implications. So it is necessary for the Center of Juridical Studies and the related professional training programs to include a specific training on Technological Law.



It is necessary to equip the technological squads of the Security Forces, belonging to the State, the autonomous communities or the International community, with technological tools that will allow them to investigate, to maintain the chain of custody for electronic evidence and to block situations that will be susceptible to cause a damage to the users of social networks and collaborative platforms.



4.2.3

Development and articulation of fast and free judicial proceedings so that the users will be better protected. From an educational and informative point of view

Each and every aspect related to the Information Society and the security requires a serious effort of awareness and training from the implicated private entities, as well as from the Public Administrations, since it is by working together that the most adequate results will be obtained. Thus it is recommended for the Public Administrations to: •

Realize awareness campaigns on the risks to publish personal data on social networks, which would be supported by all the agents of the value chain.



To organize training days and outreach programs where themes related to the security on the web will be addressed from a practical, technological, juridical and sociological point of views.



To include in the educational system classes on the security on the web and the protection of personal data when using social networks.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 127 of 143

Instituto Nacional de Tecnologías de la Comunicación



4.3

To organize awareness and educational campaigns through the Web 2.0, thus guaranteeing a better circulation and effectiveness. Proposals and recommendations addressed to the users and the

associations After specified is a series of recommendations addressed to the users of social networks and collaborative platforms, which have the objective to inform them upon the benefits these kinds of services might bring but also the damageable -but easily avoidablesituations they might be confronted to while using them. 4.3.1 •

Protection of personal data, honor, intimacy and personal image All users should take into account that they have the complete control over the information they want to publish on the network and that they are responsible if the excessive publication of personal data put at risk their intimacy. Thus it is recommended not to publish in personal profiles intimate information related to ones personal and family life that might be seen by everybody on the network. On the other hand, the users should be aware of the implications, at the professional level, their “trails” might have, since many companies are currently using these networks to identify potential candidates or to study the public profiles of pre selected ones. However, taking into account that the users are free to publish any information they want regarding their private lives, it is highly recommended for this publication to be controlled, blocked or erased.



It is recommended for the users to use nicknames when they browse on the Internet, so they will have at their disposal a real “digital identity” that will not threaten their personal and professional life. Only close contacts will know who is behind the nickname.



It is recommended for the users to be specially cautious 112 when publishing audiovisual or graphical contents on their profile, given that they might put at risk the privacy and the intimacy of other people from their circle. When they publish that kind of contents, the users should warn the third parties that are appearing on these contents and ask for their authorization.

112

This type of platforms bases their service on actualización constant of the profiles of users, More information where avaible at chapter 3 of this document.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 128 of 143

Instituto Nacional de Tecnologías de la Comunicación

4.3.2 •



4.3.3 •

Intellectual property In case of violation of the intellectual property right, it is recommended to follow these steps: o

To contact immediately the social network, denouncing the non-authorized use of the content, proving the authorship and request expressively to withdraw it. It is recommended to use the proper flagging systems put at the disposal of the users by social networks.

o

In case the content is not withdrawn as requested, it is advised to initiate relevant legal actions before national courts or tribunals.

As for the use of a third party contents, it is recommended to only use and publish the ones respecting intellectual property rights. Otherwise the user would commit a tort covered by national tribunals. Technology and security It is recommended for the users to use different usernames and passwords to access the distinctive social networks they are member of. This measure will higher the level of security of their profile, since the potential attackers would have to break more than one security system.



It is recommended to use passwords with more than 8 characters, alphanumeric and with capital letters. This kind of password is certified with the highest level of security, guaranteeing the integrity of the published information.



4.3.4

It is recommended for the users to install and update antivirus software, to guarantee that no spyware or harmful software might put at risk their computer and the information saved in it. Protection of underage users

While conducting the interviews and round tables, the situation of underage users of social networks has been specially emphasized. The following proposals are addressed to them as well as their guardians: •

Personal data should not be excessively disclosed. Some persons might take advantage of these data to access to specific groups or simply to collect profiles. Personal data should never be given to strangers. In case of doubt, it is better to ask the parents or the guardians.



The information concerning the webpage should be read entirely. There could be found who are the owners of the website and what for the data will be used.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 129 of 143

Instituto Nacional de Tecnologías de la Comunicación



If the user is under 14 years old, the consent of the parents or the guardians is required. In those cases, each time the social network asks for personal data, the guardians should give their authorization.



The usernames and the passwords should not be communicated to anyone, even to friends or classmates. These data are private.



The guardians or the parents should be consulted in case of doubts while using social networks. If an undesired behavior is detected, then it should be signaled to the guardians who will be able to denounce this behavior to the platform, which, in this case, will take the necessary measures. If this conduct is considered as criminal, it should be signaled to the Security Forces of the States that have specific squads for this kind of situation.

As for the guardians and the parents, it is recommended: •

That the computer should be in a common area of the house, above all when minors are using the Internet. Otherwise, it is recommended to monitor the use of the Internet by the minors 113 .



“Internet rules” should be established at home. When the minors begin to use the Internet by themselves, the websites they are visiting as well as the hours of the day they are spending on the web should be controlled.



The parents should know how the platforms are working and the potential danger they are representing as well as their benefits. This way, the parents will be aware of the potential legal and technological implications regarding their use, and they will be able to teach better how to use them.



To activate the parental control and other tools controlling the platform as well as configuring the e-mail of the guardians/the parents as a secondary mail. This way, the guardians/the parents will receive all the messages coming from the platform and will be able to filter them. They will be aware of the activities of their children on the network and they will be able to control which groups they belong to.



To make sure the age-control systems are effectively working. To make sure the websites visited by the minors have implemented systems able to detect the age of the user, and have previously announced the kind of content they might encounter while visiting it.

113

For example like the Microsoft tool Windows Live Parental Control

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 130 of 143

Instituto Nacional de Tecnologías de la Comunicación



To make sure the content-blocking systems are implemented. These ones prevent the access to contents understated to minors, either they access them via computer or from mobile phones. Thanks to these tools, the adult-adapted or undefined contents will be blocked.



To help the minors to be aware of the dangers these platforms might represent. The education is crucial. It is necessary to explain the minors how to use these platforms in a secure way.



To tell the minors to never meet with a person contacted online unless their guardians/their parents accompany them.



Make the minors aware of the risks conveyed by the publication of contents such as videos and photos online, as well as of the use of web-cams. The minors have to be taught how and when to use them.



Control the minor’s profile. The information he or she might published should be controlled. The Privacy Policy should be reviewed.



Make sure that the minors only access pages recommended for their age. The average age of the platform users should be aligned with the one of the minor, so that the risks Hill be reduced. In case the parents cannot find the average age of the users, they should ask directly the platform or forbid its access to the minor.



Make sure that the minors do not use their full names. They will be less easily identified. It is better for them to use nicknames while using the platforms.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 131 of 143

Instituto Nacional de Tecnologías de la Comunicación

5

CONCLUSIONS

In Spain, the Internet becomes more and more a place for a new kind of social relations based on the growing participation and interaction of the users. Social networks and the collaborative websites are one of the most important means to contact other users on the Internet, to maintain a new kind of relationships and to access to common contents. These platforms are growing essentially thanks to viral marketing, which had allowed their quick expansion. The last international statistics (from the Universal McCann Study of March 2008: “Power to the people social media. Wave 3”) estimated the number of social network users to be 272 million, around 58% of the total amount of Internet users worldwide, which represents an increase of 21% compared to the data released in June 2007. In Spain 114 , as underlined in the Universal McCann Study, 44.6% of the Internet users are using these services to be connected with their friends and close family, or to look for persons they lost contact with. Applying this percentage to the data registered by the Wave XX from Red.es, which highlighted that “between January and March 2008, around 17.6 million of people have used the Internet the month before”, it is estimated that 7.85 million regular users -above 15 years old and that had Internet connection during the last month- are using social networks. However, the growth and the notoriety of these social spaces are not free from potential risks or ill-intentioned attacks. It is partly due to the fact that the use of these networks is based on the publication of users’ personal data, which might generate situations that threaten and violate the fundamental rights of not only the users. but also third parties. For example, the uncontrolled publication of information by a user might violate, among others, the rights protecting the honor, intimacy, image and personal data. It has to be taken into account that, in many cases, these violations are due to a lack of information and training of the user, who is making a wrong configuration of the privacy settings of his or her profile. The risks to violate these rights are increasing when the published information does not concern the user him/herself but third parties. And it reaches its maximum when the user of social networks is underage, since it must be added to the above-mentioned risks the 114

Even if the sources of information are diverse, they all agreed that, for 2008, the number of Internet Spanish users who are regularly using social networks is around 40 to 50%. It was, for example, 50% according to Zed Digital (The Phenomenon of social networks. Perception, uses ad advertisment. November 2008) or 45% according to The Cocktail Analysis (Observatory for the assessment of social networks. Online communication tools: Social networks. November 2008).

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 132 of 143

Instituto Nacional de Tecnologías de la Comunicación

ones of accessing inappropriate contents and the ones of having contacts with potential ill-intentioned adults. Social networks are not strictly subject to geographic location to provide their services. However, it must be taken into account that, in Spain, a specific legislation is in force to treat all the aspects related to the providers of services for the Information Society 115 . On the one hand, the European Directive 95/46/CE, whose application includes these activities, and on the other hand, the Law 34/2002, related to the Services of the Information Society and the E-Business, in its article 5, both regulate the concrete aspects that apply to the “Providers established in a State that does not belong to the European Union or the Economic European Area”. If they “offer their services in the Spanish territory, they will be subject to the obligations stipulated by this Law, unless these ones go against what has been agreed in international treaties or conventions, applicable in those cases”. In any case, it is important to underline that the owners of social networks should improve: From a juridical point of view •

The conditions of use that are difficult to find on the website.



They are confusing and badly written.



They are difficult to understand by any user that does not have technological or juridical knowledge.



The technological security systems of the platform are not sufficiently respected

From a technological point of view The interviewed platforms indicated they had implemented different security measures in collaboration with the ISP (Internet Service Providers), with the purpose of reducing the number of possibilities for the platform and for their users to suffer from phishing or pharming, as well as of reducing the possibilities to steal identities. Furthermore, it has been noticed that the most extended manner to guarantee the protection of the users is the flagging system (internal denunciation). Social networks all agreed that the collaboration of the users is a key aspect to provide safe services. 115 According to the definition from the First Additional Provision to the Law 34/2002, related to the Services of the Information Society and the E-Business, it means “physical or juridical person, that offers a service of the society of information”.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 133 of 143

Instituto Nacional de Tecnologías de la Comunicación

However, in spite of the implemented measures, social networks still have to improve the following aspects: •

Training of the users on the different settings aspects of their profile and on the benefits of an adequate publication of personal data.



The settings by default should be configured to the highest level of privacy (it is generally configured to allow the maximum exposure of the profile).



Controlling the indexing and the storage of the profiles by the searching engines.



The networks have not implemented systems to identify the age of the users, in spite of the different projects that already exist with this objective 116 .



Establish remote systems to identify the users through electronic signature. Systems like the digital ID allow secure electronic transactions and guarantee the real identity of the user.

116

For example the initiative proposed by Association for the protection of minors Protect them! in their web micueva.com where the users are individually contacted when they register so that their age will be verified.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 134 of 143

Instituto Nacional de Tecnologías de la Comunicación

ANNEX I I List of Participants This study has been developed with the collaboration of representatives from social networks, as well as with professionals related to the protection of the rights of the users or related to the field Technological Law. It benefited from their knowledge and experience in the field of information security, privacy on the Internet and protection of personal data. From INTECO and AEDO, we would like to thank them for their collaboration while realizing the interviews and the round tables. •

Abraham Pasamar. Technological Expert at Indice, Digital Investigation.



Alexandra Juanas Castañada, Lawyer at Castañada & Castañada Abogados, (legal advisers of the social network Wamba).



Alonso Hurtado Bueno, Lawyer at X-NOVO Legal & Web Solutions, S.L.



Álvaro Cuesta. Director of X-NOVO Legal & Web Solution, S.L.



Blanca E. Sánchez Rabanal. Technical expert at the Observatory of the Security of the Information of the INTECO.



Bárbara Navarro. Responsible for Institutional Relationship at Google Spain (providers of the platforms OpenSocial, Orkut and YouTube).



Bárbara Olagaray. Legal responsible for Center and South Europa at Microsoft España (contact in Spain for social networks MSN Live Spaces and Facebook).



Cesar Iglesias. Security consultant and LOPD Lawyer at Díaz-Bastien & Truan.



David Puello. General Director and Founder of the social network Votamicuerpocom.



Enrique Dans. Professor of Technological Information at Instituto de Empresa.



Fernando Fernández. Inspector of la Brigada de Investigación Tecnológica de la Policía Nacional



Fernando Ujaldón. Responsible for Communication for the social network 11870.com

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 135 of 143

Instituto Nacional de Tecnologías de la Comunicación



Francesco Pla. Responsible for Security at Vesne, S.L. (company dedicatd to the development of social networks, such as Moterus).



Iban Diez López. Lawyer at Gómez Acebo & Pombo (Legal advisers of the social network Tuenti).



Icaro Moyano. Responsible for Communication for the social network Tuenti.



Iván García Crespo. Technical expert at The Observatory of the Security of the Information of the INTECO.



Ignacio Parada. Responsible for the Security of Information for the social network Vi.vu.



Jaime Esteban. Product Manager de Microsoft Ibérica (contacto en España de las redes sociales MSN Live Spaces).



Javier Cremades. President of Cremades & Calvo Sotelo.



Javier García. Adviser of the Technological Cabinet of the Defenser del Menor de la Communidad de Madrid.



Joaquin Muñoz. Partern at Abalex Abogados.



Juan José Portal Svensson. Manager of the Security of Information at Forbes Sinclair, S.L. (International adviser for security of information and instructors at British Standard Institute).



Juan Luis Alonso. Responsible for Security and Contents at Advernet, S.L. (Providers of Dalealplay.com that belongs to the Vocento Group)



Juan Salom. Commanding officer of Brigada de Delitos Telemáticos de la Unidad Central Operative de la Guardia Civil.



Luis Albaladejo Ufate. Consultant for the Security of Information at Forbes Sinclair, S.L.



Luis Cisneros. Lawyer at X-NOVO Web and Legal Solutions, S.L.



Luis Miguel García. Security responsable and Platform Strategy Director Microsoft Iberica.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 136 of 143

Instituto Nacional de Tecnologías de la Comunicación



Manuel Vázquez. Chief Captain of the Brigada de Investigación Tecnológica de la Policía Nacional.



Maria González Torres. Lawyer at Gómez Acebo & Pombo.



Maria González. Lawyer at Google España (provider for the platforms Opensocial, Orkut and YouTube).



Michael Hall. Founder, Partner and auditor in Security of information, CISSP, Forbes Sinclair, S.L.



Miguel

Ángel

Diez

Ferreira.

Managing

Director

of

the

social

network

Redkaraoke.com. •

Miguel Pérez Subías. President of the Asociación de Usuarios de Internet.



Mikel Lertzog. General Directo at Hi-Media España (Responsible for the social network Fotolog España).



Orial Solé. Founder of the social network Patatabrava.com.



Pablo Fernández. Partner of Abanlex Abogados.



Pablo Pérez San-José. Manager of Observatorio de la Seguridad de la Información de INTECO (coordinator and director of the study).



Pedro Escribano Testaut. Judge at the Gabinete Técnico de la Sala III del Tribunal Supremo.



Pedro Jareño. Responsible for Marketing and Communication of the social network Minube.com



Rodrigo Méndez Solís. Legal Technology Advisor at X-NOVO Web and Legal Solutions, S.L.



Sergio Hernando. Consultant and Auditor for the Security of Information and the Encrytpation of Departamento de Seguridad BBVA.



Sylvia Alonso Salterain. Partner at Cremades & Calvo Sotelo.



Tomás F. Serna. Lawyer. Specialized in Data Protection and Security of Information at Tomás F. Serna Abogado.

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 137 of 143

Instituto Nacional de Tecnologías de la Comunicación

II Analyzed Social Networks The following table presents the list of social networks and collaborative webs that had been analyzed for the elaboration of the study.

Name 11870.com 43 Things Advogato ASmallWorld Badoo Bebo BlackPlanet Broadcaaster.com Buzznet Capazoo CarDomain Care2 Classmates.com Cyworld Dalealplay.com Dandelife Del.icio.us. DontStayIn Experience Project Facebook FaceParty Flickr Flixster Fotki Fotolog Friendster Frientes Reunited Gaia Online Gather Geni.com Grono.net GuildCafe Hi5 Hospitality Club Hyves Imeen IRC-Galleria

Objective Share and recommand other websites Platform to express and plan ideas and obtain collaborations Share knowledge related to computers Rich Public General General Afro-american Public Share contents Culture and popmusic General Share knowledge related to cars Promote ecological and social movements General Afro-american Public Share multimedia contents General Share weblinks Promote the culture club General General General Share photographies Shar videos Share photographies Blog of photographies General General Promote the anime community Share multimedia contents Family and Genealogy Promote contacts between Polish people Community of online players General Share accommodations Promote contacts between Dutch people Share multimedia contents Promote contacts between Finnish people

Number of Users

Registration

12269

+14 years old

1007433

Open

11000 150000 12500000 40000000 16000000 25000000 550000 Not available 1600000

Open Only with invitations +18 years old Open Open Open Open Open Open

8123058 40000000 21200000 Not available Not available Not available 330000 Not available 150000000 5900000 4000000 36000000 1000000

Open Open Open Open Open Open Open Open +13 years old +16 years old Open Open Open

12695007 75000000 19000000 9300000 450000 750000

Open Open Open Open Open Open

1350000

Open

Not available 50000000

Open Open

328629

Open

5000000 16000000

Open Open

400000

Open

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 138 of 143

Instituto Nacional de Tecnologías de la Comunicación

iWiW Jaiku Joga Bonito Last.fm LibraryThing LinkedIn LiveJournal LunarStorm Meeting Meetup.com Migente.com MindViz Minube.com Mixi MOG Moterus.com MSN-Windows Live Spaces Multiply My Opera Commjunity My Church MySpace My Yearbook Netblog Nexopia Okcupid Orkut OUTeverywhere Passado Passporststamp Pataabrava.com Piczo Plaxo Playahead Playtxt Pownce ProfileHeaven RatetAll RedKaraoke.com Reunión.com Ryzo

Promote contacts between Hungarians General Share knowledge related to football Share knowledge related to music Share knowledge related to literature Share knowledge related to companies Share knowledge related to blogs Promote contacts between Swedish people General General Promote contacts between Latinos General Share experiences related to traveling Promote contacts between Japanese people Share music Share knowledge related to motorcycles Blog Hub

3100000 Not available Not available

Only with invitations Open Open

15000000

Open

214425

Open

16000000 12900000

Open Open

1200000 72000 2000000 36000000 145000

Open Open Open Open Open

51353

Open

9830000 Not available

Only with invitations Open

4300

Open

120000000

Open

General

7000000

Open

General Promote contacts between Christians

1001798

Open

70306 110000000 950000 28000000

Open Open Open Open

General General General Promote contacts between Canadians

1158531

Open

Search for personal contacts General Gay community General Share experiences related to traveling

800000 67000000 Not available 4700000

Open Open Open Open

12000

Open

General General Obtain professional contacts General Social network with geolocalization of the users

40000 10000000 15000000 530000

Open Open Open Open

70000 Not available 100000

Open Open Open

Not available 100000 28000000

Open +18 years old Open

250000

Open

Share multimedia contents General Evaluation of products and services Social network for Online Karaoke General Share knowledge related to companies

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 139 of 143

Instituto Nacional de Tecnologías de la Comunicación

Sconex Searchles Sermo Shelfari Skyrock Blog Soundpedia Sportsvibe Squidoo StudiVZ Tagged.com TakingItGlobal The Student Center Threadless TravBuddy.com Travellerspoint Tribe.net Tuenti Twitter Vi.vu Votamicuerpo.com Vox Wamba Wayn WebBiographies Woophy Xanga

Social network for American Highscools General Promote contacts between physicians and scientists Share experiences related to literature Blog Hub Share information on music Encourage sportive activities General General General Promote social actions General Share designs for shirts Share experiences related to traveling Share experiences related to traveling General General General (microblogging) Have medical consultations and share experiences Contacts Blogs General Share experiences related to traveling Promote Genealogy Share experiences related to traveling

500000 Not available 40000

Open Open Licensed and Doctorate

Not available 3800000 3500000 18000 Not available 4000000 30000000 145000 800000 364474

Open Open Open Open Open Open Open Open Open Open

750000

Open

105000

Open

602876 2400000 Not available

Open +14 years old Open

3000 300000 Not available 2511729

Open Open Open +14 years old

8000000 Not available

+18 years old Open

23000

Open

40000000

Open

XING

Blog Hub Share knowledge related to companies

4000000

Open

Yahoo! 360º YouTube

General Share multimedia contents

4700000 115000000

+18 years old +18 years old

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 140 of 143

Instituto Nacional de Tecnologías de la Comunicación

INDEX OF GRAPHS Graph 1: Percentage of Social Network Users in Spain. March 2008. ..............................33 Graph 2: Number of contacts by social network users in Spain. October 2008 ................37 Graph 3: Penetration of Online Social Networks by Age Group in Spain. July 2008 (%) ..42 Graph 4: Value chain of social networks ...........................................................................45 Graph 5: Evolution of the Traffic (million) ..........................................................................46 Graph 6: Geographical distribution of social networks in 2007 (%) ...................................47 Graph 7: Segmentation by age of social networks users in Spain (June 2008) ................48 Graph 8: Use of social networks in Spain by level of study (June 2008)...........................48 Graph 9: Penetration of different Social Networks in Spain (July 2008)............................49 Graph 10: Monetization of social networks and Web 2.0 (Sept 2008)...............................51 Graph 11: Earnings per day of the Facebook applications (in thousands dollars) ............53 Graph 12: Forecast sales of online B2B advertising, between 2007 and 2012 in million U.S. dollars ........................................................................................................................54 Graph 13: Growth model of social Networks .....................................................................56 Graph 14: Uses of social networks by Spanish users (%). October 2008. ........................57 Graph 15: Privacy settings (October-December 2007)......................................................58

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 141 of 143

Instituto Nacional de Tecnologías de la Comunicación

INDEX OF TABLES Table 1: Sampling by Autonomous Communities (%) .......................................................26 Table 2: Sampling by Socio-demographic Categories (%) ................................................27 Table 3: Social Networks ...................................................................................................32

Study on the Privacy of Personal Data and on the Security of Information in Social Networks Information Security Observatory

Page 142 of 143

Instituto Nacional de Tecnologías de la Comunicación

http://www.inteco.es http://observatorio.inteco.es

http://www.agpd.es