Edinburgh Napier University

  When an individual signs up to an online social networking service such as Facebook, Twitter, or LinkedIn, he or she is entering into a contract with the provider. In exchange for a range of services that are free at the point of usage the provider can utilize the individual’s your personal data to sell services to advertisers. This research is part of a PhD study into the ways in which access to personal data on social networks is regulated (Haynes, 2012). It investigates a number of different regulatory mechanisms in terms of the effect that they have on the risks to which an individual is exposed. This paper reports on a qualitative survey of attitudes to risk and regulation sent to predominantly Library and Information Service (LIS) professionals. It used snowball sampling to recruit participants from a variety of online communities and discussion groups (Burgess, 1990). A total of 223 valid responses were received, of which 214 answered the question about risk priorities. One purpose of regulation is to manage risk, which is defined as “uncertainty about and severity of the events and consequences (or outcomes) of an activity with respect to something that humans value” (Aven & Renn, 2009). Regulation is normally focused in these cases on market risk and is governed by economics (Hood, 2004). The thesis for this research is that individual risk can be used to examine regulatory effectiveness and that this might be tied in with human rights rather than strictly economic criteria. A wide definition of regulation was used to mean “All forms of social or economic influence – where all mechanisms affecting behaviour – whether these be state-based or from other sources (e.g. markets) – are deemed regulatory.” The authors go on to state “that regulation may be carried out not merely by state institutions but by a host of other bodies, including corporations, self-regulators, professional or trade bodes, and voluntary organizations” (Baldwin, Cave, & Lodge, 2012, p. 2). Lessig in his exploration of regulation of the internet identified four modalities of regulation: Law, Norms, Markets, and Architecture/Code (Lessig, 2006, p. 123). This works well to some extent, but does not separate out self-regulation, so his model has been modified for the purposes of this research. A preliminary analysis of the survey of individual users from the LIS community suggests that there is a clear ranking of importance of the risk to individuals. These results will prioritise the risks used to analyse different regulatory modalities. The survey has resulted in a universe of risks and a major challenge is to find ways of grouping the risks together. Preliminary research prior to the survey found three main sources of information on individual risk. Swedelow and colleagues have compiled a corpus of nearly 3000 risks ranging from environmental threats to hazards associated with recreation (Swedlow, Kall, Zhou, Hammitt, & Wiener, 2009). However it is not geared to the type of risks that online users face. A more productive route was to look at what risks were identified when the data protection directive was being developed. These risks can be divided into two categories tangible risks and intangible risks (Lynskey, 2012, pp. 90–130). A third source of risk categories comes from the websites of campaigning and user education groups. These all fed into the risk model used in the survey. There is still some difficulty in identifying what a risk event is and what the consequence of that event (both are essential components of risk) may be. For instance, is ID theft an event or a consequence? The event of having your ID stolen may in itself not be harmful. The consequence may be that someone tries to emulate your identity when applying for online credit and the harm arises if the credit provider holds you liable for any debts that arise from use of your identity. Or is the risk and consequence at an earlier stage in the process? For instance, putting up sensitive personal information on your social media profile, such as your full name, address and birth date may result in identity theft, which could then be seen as a consequence. This research would argue that the consequence should result in harm to the individual, whether it is tangible (e.g. financial loss) or intangible (hurt feelings). This model of risk has been used for looking at regulation of access to personal data on social media, but could be extened to apply more generally to the online environment, such as: e-mail, web browsers, or websites. Another line of research might be to look at risks to organizations whose employees use social media in a personal or professional capacity, risks to the service providers, and more general risks to government and society at large.