As the public has become increasingly aware in recent years of the personal data privacy risks related to the use of social media, the Office of the Privacy Commissioner for Personal Data (PCPD) today released a report on “Comparison of Privacy Settings of Social Media” after a review of the top ten most commonly used social media platforms in Hong Kong, including Facebook, Facebook Messenger, Instagram, LINE, LinkedIn, Skype, Twitter, WeChat, WhatsApp and YouTube (in alphabetical order). According to the review results, the performance of the ten social media in terms of their privacy functions, privacy policies and the usability of privacy dashboards are summarised as follows:
All the social media reviewed would collect users’ location data (including both the precise and coarse locations).
In terms of the default privacy settings, the age and telephone number of a user are not disclosed by Skype and YouTube, while the other social media reviewed disclose users’ personal data such as age, location, email address or telephone number by default.
Twitter, WeChat and YouTube receive the highest scores for readability of their privacy policies, while the others that do not score full marks mainly lack infographics, tables or short videos in illustrating their privacy policies.
Apart from WeChat, all other instant messaging applications reviewed including Facebook Messenger, LINE, Skype and WhatsApp deploy end-to-end encryption in the transmission of messages between users.
Except for LINE, all other social media reviewed provide two-factor authentication.
Most of the social media reviewed would retain users’ credit card data.
All the privacy policies of the social media reviewed explicitly state that users’ personal data would be transferred to their affiliated companies.
Facebook, LINE, WeChat and YouTube all allow users to disseminate posts to specific individuals or groups, and modify the privacy settings of the contents after posting.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling states that: “While the online world is fascinating and users may communicate and connect with other users around the world by sharing their personal updates and messages on social media, we should not neglect the risks posed to personal data privacy arising from the use of social media. Such risks may include the abuse of personal data, data scrapping or data leakage. Personal data which is openly available may also be used by others for the purposes of doxxing, cyberbullying, phishing, or other illegal activities, leading to property loss and even physical or psychological harm of the victims. I call for greater vigilance and smart use of social media when users surf or communicate online in order to reduce the risks posed to personal data privacy.” The PCPD has issued the Report to the operators of the social media concerned. More specifically, the PCPD provides the following advice to the social media platforms:-
Operators of social media should continuously adopt "Privacy by Design" to enhance their services and provide more privacy-related functions to users so as to increase the choices available to users.
Social media platforms should be cautious of the types of personal data collected and avoid collecting more data than is necessary for its services;
Privacy policies for social media should be clear and easy to understand and should not be vague and general. The PCPD considers that the use of layered presentations, infographics, tables or short videos would help to improve the readability of privacy policies;
Social media should not track locations of its users by default and should provide choices to its users according to their needs;
Social media should provide end-to-end encryptions and two-factor authentications to strengthen the protection of users’ personal data; and
Operators of social media should also proactively tackle “doxxing”, “data scraping” or other illegal acts and limit the ways for searching users.
On the other hand, the PCPD provides the following advice to users of social media:-
Check the default settings on security or privacy of the social media, as well as the ways through which individual users may be searched on the media, with a view to minimising the disclosure of personal data and opting for the most privacy-protecting setting;
If you do not need the location tracking function, consider turning off the function to avoid the collection of location data by the social media;
Pay attention to the privacy options of contents posted and select the appropriate settings before posting the content;
Before choosing any instant messaging application, pay attention to whether it provides end-to-end encryption forms of transmission to strengthen the confidentiality of transmitted data;
Use strong passwords and enable two-factor authentication for social media to strengthen account security;
Minimise the risk of credit card data leakage by avoiding transactions on social media platforms over public Wi-Fi or unsecured Wi-Fi connections; and
Parents/guardians may consider enabling parental controls to monitor their children’s use of social media and reminding them of the consequences of excessive disclosure or sharing of personal data.
The report on “Comparison of Privacy Settings of Social Media” (Chinese version only with bilingual comparison table) can be downloaded at the PCPD’s website: https://www.pcpd.org.hk//english/resources_centre/publications/files/social_media_platforms.pdf