Content uploaded by Radi Petrov Romansky
Author content
All content in this area was uploaded by Radi Petrov Romansky on Aug 30, 2016
Content may be subject to copyright.
SOCIAL COMPUTING AND DIGITAL PRIVACY
Radi Romansky
Abstract:
The contemporary digital world based on the global network
proposes different opportunities for remote access to distributed
environments and shared information, dissemination of specific content,
communication between real or virtual users, using cloud services,
implementation social contacts, etc. Many of these activities are
connected to creation of personal profiles and uploading personal data
but it is not known the policy of privacy protection. The article discusses
some challenges of digital world (particular of social computing) for
personal data protection as a main part of the privacy. The special
features of social computing and its components are discussed, the
fundamental principles of data protection organization are presented and
problems for personal data protection are summarized.
Keywords:
Digital world, social computing, privacy, security policy,
personal data protection.
1. Introduction
The contemporary Information Society (IS) hold out different
possibilities for communication, collaboration and sharing digital
contents by using digital environments. The European initiatives for IS
developing from the beginning of current century permit many users of
network space to improve their cultural, economic and social status. In
this reason an important question should be asked – “Do these activities
in the digital world ensure our privacy?”. This is a very important
question because the privacy of individuals is a fundamental right and it
includes the right for Personal Data Protection (PDP) presented by the
phrase “the right to be alone” (Romansky, 2014a). The new proposal of
the European Commission (EC, 2014) is to transform this paradigm to
the version “right to be forgotten” that will reflect to the problems with
personal information in the profiles for registration in different network
environments, forums, groups, etc.
It is right that on the base of Information and Communication
Technologies (ICT) are created different places in the digital world that
propose real environment for distribution and remote access to
information resources and services, sharing personal and public
information (content, video, audio, pictures, etc.), communication
between participants in groups of interest, groups for social contacts,
access to clouds and data centers, etc. Many of these opportunities of
digital world expect creation of personal profiles and uploading personal
information that could be accessed by other users, not always in a
correct way (Lam&Riedl, 2012). This requires a modernization of data
protection rules (Knijpenga, 2012) and a protection of privacy for all
participants in the digital world (Fischer, 2014).
The digital world consists of different components accessed and
used by individuals, public institution and business organizations. The
traditional part of these components helps users to obtain some new
knowledge based on interactive communications (web-environments
with a large collection of contents, distributed specialized information
resources, tools for virtual reality, etc.) (Garber, 2012). This part should
be extended by opportunities of cloud environments and data centers
(using remote resources as a services) (Chen&Zhao, 2012), social media
and Web 2.0 (tools that permit collaboration and sharing of information
and knowledge between large set of users) (Kinast&Partner, 2014),
distributed environments for online/distance learning (using and sharing
learning content and organize the collaboration on the base of specific
interests) (Yong Chen & Wu He, 2013), Massive Open Online Courses
(MOOCs) that many educational institutions apply (the tendency is that
MOOCs will change the higher education in the next years
(Mayer&Zhu, 2013).
Creation and supporting user’s profiles in the network space
permit different personal information to be accessed by other users of
the global network. This could be made very undesirable problems for
users and violate their privacy. In this reason the PPD should be
important obligation of the distributed services providers. Some aspects
of the security and digital privacy in the network world are discussed in
(Romansky, 2014b) and (Romansky, 2014c).
The main goal of this article is to generalize features of social
computing as a part of the contemporary digital world and to determine
the specific challenges for the digital privacy and in particular for the
realization of the main principles of PDP. In this reason the second
section discusses some social aspects of Internet environment directed to
some economic-social characteristics of access and using, and special
features of social computing. The third section deals with the security
policy in the field of PDP and the main challenges of social computing
for privacy of individuals are generalized. The forth section summarizes
the activity of European Commission (EC) in the field of PDP in the
cyber space and presents the latest regulations in this area.
2. Social aspects of Internet-environment
2.1 Economic-social characteristics
The policy of the European Union (EU) for the development of
IS determines the important role of the computer skills as a factor for
realization of all sectors of the economics. The using of ICT
increases the competitive power of companies and sets in the last
years the term “digital economics”. In other hand the shortage of
competent specialists in the ICT sector slow down its quick growth.
It is reported the increasing availability of work places in the ICT
sector – Empirica estimates that in 2020 the shortage will be about
913 000 specialists (Fig. 1).
Different economic-social characteristics of the access and using
of Internet environment are subject to monitoring by EC. They permit to
evaluate the current level of IS growth in the EU members and to
determine the average assessments for EU. Some of the evaluated
characteristics are level of Internet-connection and level of broadband
access, high speed Internet, ICT using by citizens and business, etc.
Figure 1. Shortage of ICT cadres in EU (prognosis of Empirica, 2013)
The “Digital agenda for Europe” (http://ec.europa.eu/digital-
agenda/) look at the digital economy and access & connectivity as an
important components of the digital society. This document highlights
the necessity of increasing the high-speed broadband access for all and
building modern broadband infrastructure. Bulgaria has a very high
assessment for the given speed of the broadband access – over 98,1% of
the links have speed over 2 Mbps and over 74,1% have speed between
10 and 30 Mbps (29% are the links with speed about 30 Mbps compared
with 8,5% for EU). In other hand the characteristic “penetrating of
broadband access” for Bulgaria has a low level – about 18% (average
level for EU is 27,7% for 2012). The assessments for the business are
better – for example, for year 2012 published by National Statistical
Institute (NSI) data are 87,4% for the companies with Internet access
and 76,2% for these are with fixed broadband access.
The using of Internet is another important factor for evaluating
the level of IS. The statistical assessments of NSI for Internet access of
households and business are continuously increasing (Fig. 2).
Figure 2. Level of Internet access in Bulgaria
2.2 Social computing – components and features
The term “social computing” is a result of the Internet progress
and the increasing opportunities for exchange of different types of
information. It covers these activities in the global environment in which
the users are not only passive participants and consumers of
information, but they could realize different forms of direct
communication, sharing own information and to create personal profiles.
This determines concrete requirements for protection of these
information resources from illegal access and unauthorized using.
In a global aspect the term “social computing” should be taken as
a complex of different web-based and mobile technologies that permit to
transform the traditional communication in an interactive dialog with
sharing images, pictures, audio, video, experience, etc., as well as
creating, editing and dissemination of content in the Internet
environment. The main representatives are social media (Wikipedia,
Scholarpedia, Google-encyclopedia Digg, Mixx, Stuble Upon, e-
Britanica, etc.), social networks (Google+, Facebook, LinkedIn,
Pinterest, Twitter, Instagram, Friendster, MySpace, Black Planet, Ning,
Xing, GPlus, Vine, Tumblr, etc.), web sites for video-content sharing
(YouTube, VBOX7, Flickr), Internet-forums, wiki-applications, virtual
social sites (Second Life), virtual game sites (World of Warcraft), etc. It
could be defined some basic groups, listed below.
a) Social Media – web sites that are filled in with content by the
users. In this component of social computing the user decides what
information will published. The blogs could be defined as a social media
too.
b) Social Networks – this component of social computing is
different from the social media, because the main goal of social
networks is creation, storing and supporting information resources for
continuous contacts and longtime utility.
c) Social Bookmark – this component of social computing
collects the sites in which users published links to these resources that
will by accessed and used again.
d) Social Aggregators – this category is a “social” group of sites
that collect user activities in the upper categories. This form of social
contact permits exchange of information and comments, voting for a
casus, collaboration, etc.
Figure 3. Utilization of some social networks
An investigation of the users’ interest to the social networks is
carried out during 2013 by Pew Research Center (Duggan & Smith,
2013) and a generalization of the assessments is shown in Fig. 3. The
sum of statistical assessments is over 100% and this shows that
particular users access different social networks. The results determine
Facebook as the most used in the presented collection and determines it
as the most popular for different demographic groups. Pinterest is
preferred by female users, LinkedIn is especially popular among college
graduates and Internet users in higher income households, Twitter and
Instagram are accessed by younger adults, urban dwellers, and non-
whites.
Analogous results are obtained for the Bulgarian users – 87% of
Internet users say they are interested in the social computing and using
of social network. The winner for year 2013 is Facebook again, but the
next two places are occupied by Google+ and by professional social
network LinkedIn. The same investigation gives for Bulgaria the
following assessments for daily using: Facebook (83%), Google+
(24,1%), LinkedIn (4%).
The social networks are very popular with the opportunities for
contacts, exchange of information and access to contents and resources.
About 70% of the Internet-users consider that the comments of
companies in the social networks help for creating better confidence in
any trademark or firm. The preliminary information searching in
Internet for any product before buying it is supported by 95% of the
users.
It is fact that the opportunities of social computing are used by
business organizations, managers, tradesmen, etc. for creating contacts
with clients, dealers and jobbers. The social networks YouTube,
Google+, Facebook, LinkedIn and Twitter are used for online
relationships as B2B (Business to Business) and B2C (Business to
Customer). For example, different investigations carried out in USA
show that the retailers prefer Facebook for contacts, 90% of the
specialized tradesmen are oriented to Pinterest, and 50% of
technological companies use Twitter for contact with potential clients.
In other hand the created in social networks user’s profiles could
be useful for the business, the marketing and advertisement, sales and
relationships, etc. for selecting suitable clients and potential candidates
for a job position. It is not secret that the opportunities of social
networks are used by employers for selection of suitable specialists and
experts and by the tradesmen for searching potential customers.
The popularity of social computing and the comparatively easy
access to personal information (profiles, photos, comments, video, etc.)
could create problem for the privacy of the users. In this direction the
European Commission presents information that about 75% of the EU
citizens consider the disclosure of personal data as an increased
problem, and 72% of Internet-users think that too much personal data
are collected at the online registration.
3. Digital privacy and policy for PDP
3.1 Digital world, information security and digital privacy
It is known that the privacy is an important fundamental human
right uniting personal data processing, personal communications via
post and Internet, processing personal profiles in social media, forums
and other distributed environments. The new situation in the digital
world changes the traditional understanding of the privacy as “the right
to be alone” and introduces the new vision – “the right to be forgotten”.
In this reason, giving different information resources and distributed
information services by Internet requires creation of knowledge in the
society for principles, methods and technological means and tools for
adequate data processing.
The protection of personal data could be made by using means
and tools of information security technology only. The main
disturbances of information security are data destroying by attacks or
incidences, disclosure of confidential data by penetrating or capturing,
and impossibility of IT-infrastructure to oppose of external attacks.
Figure 4 illustrates the main types of incidents that violate the
information security.
Figure 4. Main types of incidents that disturbs the information security
(average assessments for the countries of EU)
The increasing using of mobile devices increases the attacks to
them. New types attacks are realized as vishing (phishing by mobile
phone) and smishing (phishing by SMS sending). There are applications
as SMS-blasting (sending a message with a phone number for calling)
and SMS-spoofing (SMS sending with a link for personal profile
actualization). Some results from an investigation in the business sector
about the most serious cyber-attacks carried out by B2CENTRE during
2014 are summarized in Fig. 5.
Figure 5. Most serious cyber-attack
All discussed problems for information security could be directed
to the privacy disturbance because the different components of the
digital world permit accessing and using personal information. More of
the components of the social computing select personal data out of the
main goal and this require a serious risk analysis of the policy in the data
protection field to keep the digital privacy of the participants.
3.2 Policy for PDP
The Data Protection Policy must be regarded in the context of IT
Security Policy as a part of Security Policy (Fig. 6). This hierarchical
sequence determines the set of means, procedures and tools for
preventing incidents, detecting attacks and restoring system
functionality after successful attacks. It is needed to determine adequate
measures for data protection on each level – from the computer layer to
the legislative layer.
Security
Policy
IT Security
Policy
Data Protection
Policy
Legislative Layer
Administrative Layer
Physical Layer
Computer Layer
Figure 6. Data Protection Policy and main layers
The computer layer presents embedded instruments for protection
of personal data structures (hardware, software, cryptographic,
biometric). The physical layer consists of technical instruments, means
and tools for unauthorized access blocking, separation of LAN
segments, recognition of legitimate users, etc. The next two layers unite
organizational rules, instructions and procedures for administrative
control and legislative and normative documents.
European understanding for “personal data” is the information
that permits to identify a person directly or indirectly, in particular by
reference to an identification number or to one or more factors specific
to his physical, physiological, mental, economic, cultural or social
identity. A popular definition in USA is connected to the rights and
obligations of the individuals and institutions about collection, using,
keeping and disclosing personal information. In this reason any
operation or set of operations with personal data (using automatic or
non-automatic means) is called “processing of personal data”. The main
participants in this process are “data subject” (the owner of personal
data), “data controller” (it should determine the purpose and the means
of processing and be responsible for all procedures with personal data),
“data processor” (real processing of personal data on the base of
agreement with the data controller), “receiver of personal data” (the
giving of personal data could be on the base of lawful reason only). Life
cycle of personal data processing is proposed in Fig. 7 and the purpose
of the phases is listed below:
The collection of personal data must be made based on a
legitimate reason only and with the consent of the individual;
The preserving of collected data should be realized in the
registers based on preliminary defined goal and criteria;
The using must be made by legitimate persons on the base of
principles of information security: authentication (by using username,
password, digital certificate, personal identification number, and
biometric means); authorization (on the base of developed digital right
management system); accountability (personalization of the access to
the data structures and registration of users’ activities);
Actualization – the personal data must be correct, full and
actual (integrity and content management);
The transfer to other country and the giving to other person
must be realized on the base of strong rules only;
Archiving could be made if it is required by law but for a
limited period of time only;
Destroying of personal data must be made after realization of
the goal.
Individual (owner
of personal data)
Collection
Using
Actualization
Giving
Preserving
Archiving
Destroying
Other
country
Third
person
Transfer
Authorization
& Authentication
& Accountability
Figure 7. Life cycle of personal data processing
3.3 Some problems for digital privacy in social computing
The social computing as a part of network world could cause
different problems for digital privacy. These problems are based on the
specific of the Internet communications and unregulated legislation in
the cyber space. The privacy in social media concerns with protection of
user’s information, user’s profiles and securing the user’s rights. The
media must try to prevent different incidents with users’ data as
unauthorized access, viruses, illegal transfer to third party, etc. A short
summary of common problems for the digital privacy is presented
below.
Identification of the roles. It is very difficult to specify the type
of the participants in PDP processes (“Data Controller”, “Data
Processor” and “Data Subject”). In this reason it is impossible to
determine the responsibility for data protection procedures (rules,
measures, data subject rights, etc.). According to the Directive 95/46/EC
the data controller determines the goal for personal data processing, but
in the digital world the roles of customer, vendor and provider could be
defined for concrete case only. The service providers have no legal
obligation to protect personal data if they are not defined as controllers
or processors. This characterization will permit to ignore the data
protection obligations at the cases of personal data outsourced or
transferred to a third party for processing.
Data subject’s rights. It is possible that many personal data are
collected at the registration procedure and this causes a risk for digital
privacy of user. A fundamental rule is to collect only data connected to
the defined goal, but some social networking sites collect extended
personal information in the page known as a “profile” (names, birth
date, address, phone number, social life, gender, country, hobbies,
relationships, etc.). These pieces of data personalize the users to a major
extent and the individuals must know the purpose of these data and
reason for processing. Another problem with the data subject’s rights is
the impossibility to revise, access, block or delete their personal data. In
other hand, the providers have a full access to the customer’s data. Data
controller must guarantee that each user could define restriction for the
own profile accessing. This will prevent unauthorized access and
incorrect dissemination of personal information. This action could be
realized by making the profile private from the user by selection of the
people who can visit the page and access to be made after
authentication.
International data transfer. According to Directive 95/46/EC
personal data could be transferred to third countries if the level of
personal data protection is adequate to those in the EU countries. The
data transfer between different locations is typical procedure in social
computing and the personal information that is uploaded must be
protected and users (data owners) must be informed for all transfers.
Data deletion. This is a big problem because if any user wants
to delete data in his/her profile he/she must be sure that these data will
be really deleted. In cases of data transferring a copy of data could be
stored in different place(s) and this copy will be not deleted. Data
protection legislation gives strong rules for deletion of personal data in
the traditional cases, but for the social networks/media this is not clearly
determined.
Information sharing. The social computing permits remote
access to individual information by different points of Internet. This
sharing of information could cause Internet-related security problems as
data losing, destroying the integrity, problems with accountability,
hackers’ attacks, etc. For example, each user of social network/media
uploads information that will be shared between a set of users and it
could be disseminated to different locations. In this case the data subject
does not know what policy and measures are used for counteraction to
eventual attacks.
Technical and organizational measures for data protection. The
data controller has the obligation to define an adequate policy for PDP
and to implement appropriate measures for information security (see
Fig. 6). These measures should be a counteraction to all forms of
destruction or loss of personal data, to an unauthorized access and to all
illegal forms of personal data processing. The digital privacy should be
guaranteed by these measures, but it is known that more data security
measures will reduce the performance of the information processing and
will increase the price. In this reason, the providers must choose the
most appropriate security measures.
4. The Latest Regulations in Privacy and PDP
Modernization of the European legislation in the field of data
protection has been made in the last years. These changes are directed to
the problems in the cyber world. For example Directive 2009/136/CE
from 25 November 2009 changes the rules for personal data processing
and digital privacy in the sector of digital communication.
Important regulation of rules for user’s privacy in cyber space has
been started by the document “Proposed Regulation” of the European
Commission (25.01.2012). This document proposes new rules to
strengthen online data protection rights. The reason for these draft
amendments is the fact “that rapid technological development and
globalization have profoundly changed the world and brought new
challenges to the protection of personal data…” (Knijpenga, 2012). It is
reported that during 1995 only 1% of European citizens used Internet,
but today many personal data are exchanged between continents for
seconds. This document proposes the paradigm “right to be forgotten”
(Article 17) and the data subject rights to data portability (Article 18) –
transfer between different electronic processing systems. The proposals
in this document have been discussed in other documents, for example:
Memorandum MEMO/13/923 (22.10.2013 г.) by the meeting
of Committee for Civil Liberties, Justice and Home Affairs (LIBE) for
supporting proposals (LIBE Committee vote backs new EU data
protection rules, http://europa.eu/rapid/press-release_MEMO-13-
923_en.htm).
Publications on the site of European Commission: “European
Data Protection Day 2013: Full speed ahead towards reliable and
modern EU data protection laws” (28.01.2013) and “Data Protection
Day 2014: Full Speed on EU Data Protection Reform” (27.01.2014).
Memorandum MEMO/14/186 (12.03.2014 г.) of European
Parliament which defines the architecture and the fundamental
principles of the data protection reform for improving user protection
and security in cyber space (Fischer, 2014). The document determines
the necessity of extension of the legislative frame, defined by previous
directives, with more strong rules for protection of the user’s rights. In
this reason, four pillars have been determined (European Commission,
2014):
Pillar (1): “One continents one law” – a requirement about the
regulation and sanctions in private and public sectors.
Pillar (2): “Strong regulation of European digital industry” – a
requirement for the non-European companies, when offering services to
European consumers, to apply the European rules and level of data
protection.
Pillar (3): “The right to be forgotten / The right to be erased” –
this is the right of an individual to remove own personal data from the
system if she/he no longer want to use the online services or there is no
legitimate reason for keeping it in this online system. This regulation
will permit the individuals to control their own online identify and to
require the personal profile to be removed from the system (including
social media platforms).
Pillar (4): A "One-stop-shop" for businesses and citizens – a
regulation for the personal data processing by controller or processor
established in more than one country of European Union.
The new principles of regulation must extend the PDP frame and
propose adequate solutions for all problems of PDP in the social
computing and in the digital world.
In other hand, the users in the field of social computing should
undertake personal measures to protect their own information. The best
practice say “protect yourself” by using modern Internet security
solutions (antivirus programs, firewalls, tools for browser protection,
reputation-checking tools, etc.). These tools must be regularly updated
and should use effective policy for authentication and authorization. The
visiting network resources must be deliberated and the reputation and
safety rating of websites before using must be analysed. Finally, the
main principle of users must be “guard your personal data”. Users must
publish limited personal and financial information on the Internet (social
media, Internet cafes, websites, libraries, forums, etc.)
5. Conclusion
Social computing is an important part of the digital world and the
communications between individuals and the information sharing
increase based on the available better-established platforms, mobile
applications and simple-to-use applications, such as short video files,
time-limited pictures, micro blogging, etc. The mobile communications
permit to organize large social groups of young users and this provokes
extension of spam, phishing and scamming in social networks. This
determines the importance of digital privacy protection.
Digital privacy is a very much discussed theme, not only about
monitoring of Internet traffic, collection of metadata from mobile phone
calls, but also about the online services using, access to shared data and
keeping personal profile for individuals. Symantec presents in “2014
Internet Security Threat Report” some statistics for increasing the
attacks (with 91%), number of breaches (with 62%) and web-based
attacks (whit 23%). Privacy in social computing concerns with
protection of user’s information and securing the user’s rights. Adequate
measures based on ICT must be used to prevent different incidents with
users’ data as unauthorized access, viruses, illegal transfer to third party,
etc. In this reason the new regulation in the PDP frame could be useful.
References
Chen, D., Zhao, H. (2012), „Data Security and Privacy Protection Issues
in Cloud Computing”. International Conference on Computer
Science and Electronics Engineering (ICCSEE). 23-25 March,
Vol. 1, pp.647-651.
Duggan, M., Smith, A. (2013), “Social Media Update 2013”.
PewResearch Internet Project, December 30. Available:
http://www.pewinternet.org/2013/12/30/social-media-update-2013/
European Commission (2014). “Progress on EU Data Protection
Reform Now Irreversible Following European Parliament Vote”,
MEMO, Strasbourg, 12 March. Available:
http://europa.eu/rapid/press-release_MEMO-14-186_en.htm
Fischer, A. E. (2014). “Improving User Protection and Security in
Cyberspace”, Report of Committee on Culture, Science,
Education and Media, Council of Europe, 12 March. Available:
http://www.statewatch.org/news/2014/mar/coe-parl-ass-
cyberspace-security.pdf
Garber, L. (2012) “The Challenges of Securing the Virtualized
Environment”, Computer, January, pp.17-23.
Kinast&Partner (2014). “Social Media and Data Protection”. Available:
http://www.kinast-partner.com/data-protection-law/social-media-
and-data-protection/)
Knijpenga, A. (2012). “The Modernization of European Data Protection
Rules”, Deloitte, 2012 (http://www.deloitte.com/assets/Dcom-
Switzerland/Local%20Assets/Documents/EN/Audit/RCL/ch_en_
the_modernization_of_european_data_protection_rules.pdf)
Lam, S. K., Riedl, J. (2012). „Are our online „friend“ really friends?”.
Computer, January, pp.91-93.
Meyer, J.P., Zhu, S. (2013). “Fair and equitable measurement of student
learning in MOOCs: An introduction to item response theory,
scale linking, and score equating”. Research & Practice in
Assessment, Vol. 8 (91), pp.26-39.
Romansky, R. (2014a). “Digital Privacy in the Network World”.
Proceedings of the International Conference on Information
Technologies (InfoTech-2014), 18-19 September, St. St.
Constantine and Elena, Bulgaria, pp.273-284.
Romansky, R. (2014b). “Privacy and Security Considerations” (Chapter
7), in PSTNization of the Internet, ed. R. Romansky (BG), B.
Khasnatish (USA), Intarea Working Group, 13 Nov., pp.9-16.
Draft publication ‘draft-rdsx1-intarea-pstnize-internet-00.txt.
Available:
http://datatracker.ietf.org/doc/draft-rdsx1-intarea-pstnize-internet/
Romansky, R. (2014c). “Social Media and Personal Data Protection”.
International Journal on Information Technologies and Security,
Vol. 6 (4), pp.65-80 (ijits-bg.com).
Yong Chen, Wu He. (2013), “Security Risks and Protection in Online
Learning: A Survey”. The International Review of Research in
Open and Distance Learning, Vol. 14 (5), pp.108-127.
(http://www.irrodl.org/index.php/irrodl/article/viewFile/1632/2750)
About the author
Radi Romansky. Full professor in Technical University of Sofia (College
of Energy and Electronics), 8 Kliment Ohridski blvd, Sofia 1000,
Bulgaria. Doctor of Science in Informatics and Computer Science, Head
of Electronics, Computer Systems and Technologies Dept. E-mail
address: rrom@tu-sofia.bg.
