Study On The Privacy of Personal Data and On The Security of Information in Social Networks

Instituto Nacional
de Tecnologías
de la Comunicación
Study on the Privacy of Personal Data

and on the Security of Information in
Social Networks
INFORMATION SECURITY OBSERVATORY

Study on the Privacy of Personal Data and on the Security of Information in Social Networks
Information Security Observatory Page 1 of 143
Instituto Nacional
de Tecnologías
de la Comunicación
February 2009
This publication belongs to the Instituto Nacional de Tecnologías de la Comunicación –INTECO- (Spanish National
Institute of Communication Technologies (INTECO) and the Agencia Española de Protección de Datos –AEPD-
(Spanish Data Protection Agency), is under a Creative Commons Spain 2.5 Attribution Non-commercial license, and for this
reason copying, distributing and displaying this work is permitted under the following circumstances:
• Attribution: The content of this report can be totally or partially reproduced by third parties, specifying its source and
expressly referring to both INTECO and AEPD its website: www.inteco.es, www.agpd.es. This attribution can in no event
suggest that INTECO or AEPD provides this third party support or supports the use made of its work.
• Non-commercial Use: The original material and the resulting works can be distributed, copied and shown as long provided
that it is not for commercial purposes.
When the work is reused or distributed, its license terms must be made very clear. Some of these conditions may be not be
applicable if the copyright license is not obtained from INTECO and the AEPD. Nothing in this license impinges or restricts
INTECO's and AEPD's moral rights.
Full license text:
http://creativecommons.org/licenses/by-nc/2.5/es/
Instituto Nacional
de Tecnologías
de la Comunicación
INDEX
INDEX..................................................................................................................................3
EXECUTIVE SUMMARY .....................................................................................................7
I Situation: definition of a social network ....................................................................7
II Analysis of the most relevant aspects and specific problems of social networks. ...8
III Proposals and recommendations to the parties involved in social networks. ........12
1 INTRODUCTION AND OBJECTIVES ........................................................................20
1.1 Presentation .......................................................................................................20
1.1.1 Spanish National Institute of Communication Technologies (INTECO) .........20
1.1.2 Spanish Data Protection Agency ...................................................................21
1.2 Contextualizing the study ...................................................................................22
1.3 Objectives of the Study. .....................................................................................23
1.4 Methodology ......................................................................................................24
1.4.1 Phase I. Data Collection and Fieldwork .........................................................24
1.4.2 Phase II. Information Analysis........................................................................28
1.4.3 Phase III. Recommendations and conclusions ..............................................29
1.5 Content Structure ...............................................................................................30
2 SITUATION: DEFINITION OF SOCIAL NETWORKS ................................................31
2.1 Characterizing Social Networks. ........................................................................31
2.1.1 Theoretical Basis............................................................................................31
2.1.2 Origin and evolution .......................................................................................31
2.1.3 Definitions ......................................................................................................33
2.1.4 Keys to success .............................................................................................35
Instituto Nacional
de Tecnologías
de la Comunicación
2.2 Typology of social networks ...............................................................................37
2.2.1 Generalist and recreational social networks. .................................................38
2.2.2 Professional Social Networks.........................................................................40
2.3 Value chain and business models .....................................................................43
2.3.1 Value chain of social networks. ......................................................................43
2.3.2 Business models. ...........................................................................................45
2.4 Risks implied by the use of social networks .......................................................57
3 ANALYSIS OF THE MOST IMPORTANT ASPECTS AND SPECIFIC PROBLEMS OF

SOCIAL NETWORKS ........................................................................................................61
3.1 Protection of the right to honor, personal and family privacy and image. ..........62
3.1.1 Definition of the right ......................................................................................62
3.1.2 Applicable Law ...............................................................................................65
3.1.3 Possible risks. How could the right to honor, privacy and image be affected in
a Social Network?.......................................................................................................69
3.1.4 Vulnerable Groups. Underage and legally incapacitated users. ....................70
3.1.5 Measures to protect the right to honor, privacy and image ............................73
3.2 Personal Data Protection ...................................................................................75
3.2.2 Applicable law: regulation and its evolution ...................................................76
3.2.3 Possible risks on social networks. ¿How does personal data could be
affected? .....................................................................................................................87
3.2.4 Vulnerable Groups. Underage and legally incapacitated persons. ................93
3.2.5 Measures taken to protect the personal data of users. ..................................95
3.3 Intellectual Property protection in social networks .............................................96
Instituto Nacional
de Tecnologías
de la Comunicación
3.3.2 Legal framework: regulations and its evolution. .............................................98
3.3.3 Probable risks. ¿How could Intellectual Property Rights be affected in a social
network? ...................................................................................................................101
3.3.4 Groups specially protected. Underage and legally incapacitated persons...103
3.3.5 Measures to protect the rights to intellectual property of users and third
parties. 104
3.4 Protection of Users and Consumers ................................................................106
3.4.1 Definition of the right ....................................................................................107
3.4.2 Applicable Regulations: Regulation and its evolution ..................................107
3.4.3 Possible risk. ¿How do these rights could be affected?...............................110
3.4.4 Specific Cases. Underage and legally incapacitated persons. ....................112
3.4.5 Measures to protect the rights of users and consumers ..............................112
4 Proposals and recommendations addressed to the agents participating in social

networks ..........................................................................................................................115
4.1 Proposals and recommendations addressed to the Industry ...........................116
4.1.1 Proposals and recommendations addressed to social networks and the

collaborative platforms..............................................................................................116
4.1.2 Proposals and recommendations addressed to the manufacturers and the

providers of computer security .................................................................................121
4.1.3 Proposals and recommendations addressed to the Internet Services

Providers (ISP) .........................................................................................................123
4.2 Proposals and recommendations addressed to the Administrations and Public

Institutions ....................................................................................................................124
4.2.1 From a normative point of view ....................................................................124
4.2.2 From an executive and administrative point of view ....................................127
4.2.3 From an educational and informative point of view ......................................127
Instituto Nacional
de Tecnologías
de la Comunicación
4.3 Proposals and recommendations addressed to the users and the associations
128
4.3.1 Protection of personal data, honor, intimacy and personal image ...............128
4.3.2 Intellectual property ......................................................................................129
4.3.3 Technology and security ..............................................................................129
4.3.4 Protection of underage users .......................................................................129
5 Conclusions ..............................................................................................................132
Annex I.............................................................................................................................135
INDEX OF GRAPHS........................................................................................................141
INDEX OF TABLES .........................................................................................................142
Instituto Nacional
de Tecnologías
de la Comunicación
EXECUTIVE SUMMARY
I Situation: definition of a social network
• Online social networks are services that let their users to create a public profile
where they can introduce personal data and information. The users have different
tools to interact with each other.
• The growth of these platforms is based on a viral process, by which the initial users
send an email invitation to their different contacts requesting to join the website.
• These new services are strong channels of communication and interaction that
enable the users to act as segmented groups: for entertainment, communication,
professional purposes, etc.
• The main objective of a social network is reached when the users use it to convene
events and actions that have an impact on the offline world.
• The latest statistics (from the Universal McCann Study of March 2008: “Power to the
people social media. Wave 3”) has estimated that the number of users of social
networks is 272 million, which represents 58% of the Internet users worldwide.
• In Spain 1 , as underlined in the Universal McCann Study, 44.6% of the Internet users
are using these services to be connected with their friends and close family, or to
look for persons they have lost contact with. Applying this percentage to the data
registered by the Wave XX from Red.es, which highlighted that “between January
and March 2008, around 17.6 million of people have used the Internet the month
before”, it is estimated that 7.85 2 million of regular users -above 15 years old and
who had Internet connection during the last month- use social networks.
• In addition, it has been noticed that the percentage of social networks users is higher
among underage users and declines with age: 7 out of 10 Internet users are younger
than 35 years.
1
Even if there are different sources of information, they all agreed that in 2008, the number of Spanish
Internet users who are regularly using social networks is around 40 to 50%.
2
One has calculated applying the percentage for Spain, of the data of the Study of Universal McCann to the
number of habitual users of Internet obtained from the data of Big wave XX of Red.es.
Instituto Nacional
de Tecnologías
de la Comunicación
II Analysis of the most relevant aspects and specific problems of social

networks.
The reputation of these online spaces is not free from the risk of potential malicious
attacks. The National, European and International authorities had tackled the problem and
had agreed to develop standards and recommendations 3 to ensure secure access for
users with a specific attention to underage users.
This chapter provides an in-depth analysis of the most relevant legal issues that
directly affect social networks:
Protection of honor, personal and family privacy and image.
The right to honor is inalienable and represents the right to have a proper image, name
and reputation. It means the respect of the person, regardless of the circumstances. The
right to privacy protects the most intimate sphere of the person’s life, and is closely
linked to the protection of individual dignity. Finally, the right to image is intended to
safeguard the image of a person in the public area.
In Spain, the protection of these rights are contemplated in the The Spanish Ley
Orgánica 1/1982 de 5 de mayo, de Protección Civil del detector al Honor, Personal y
Familiar, Privacidad y Propia Imagen (the Organic Act 1/1982 on the Protection of Civil
Rights to Honor, Personal and Familial Privacy and Image), which goes further than the
provision of the Constitution stipulated in the Article 18.1 SC (Spanish Constitution or
Spanish Bill of Rights). However, some situations are not expressively regulated and in
certain conditions (while using social networks and collaborative websites), this may be a
risk for the rights of users.
Among the potential risks to privacy, we can include the following aspects:
3
The main regulatory initiatives come from the international plane, especially of the European Commission
and the Work group of the Article 29, that in the last months has made its intention public to regulate in the
smaller possible term all the aspects related to the security and collaborative protection of the users of the
social networks, Web sites, blog and other means of interaction of users in Internet.
Thus, the past 15-17 of October of 2008, was celebrated the 30 Conference the International of Authorities of
Protection of Data and privacy in Strasbourg. In her one remembered carry out a proposal of normative
regulation of this type of platforms that fulfills the following requirements: to be a world-wide norm, legally
indispensable to any type of lender, regardless of where one is located; that it equips to the users of a series
of protections considered basic at the time of developing his activity in the Network; that he guarantees basic
a minimum protection and for the minors, native of this type of services and especially unprotected users
before these, as well as that the lenders settle down a series of technological measures directed to the
protection of the users. Of this form, the next month of November of year 2009 will be celebrated in Madrid,
the 31 Conference the International of Protection of Data, in which a first rough draft of the world-wide
regulation in the matter of protection of data will set out, for its later debate and approval at international level.
Instituto Nacional
de Tecnologías
de la Comunicación
• While registering: the users might not be able to configure the privacy level of the
profile, thus publishing sensitive information while beginning to use the social
network.
• While participating in the network, the users might publish sensitive information, data
and images that have an impact not only on their privacy, but also on third parties.
o Personal privacy: even if the users are voluntarily publishing their data on the
network, the effects on their privacy might be deeper than believed at first
sight, because these platforms have powerful tools to exchange, process and
analyze the information provided by their users.
o Respect of the privacy of third parties: it is essential for the users to bear in
mind that the publication of personal information and data related to third
parties cannot be done unless these ones have expressively authorized their
publication, and could request an immediate withdrawal.
Finally, it is important to highlight that in most cases, social networks allow search
engines to index users´ profiles, along with contact information and profiles of
friends, which may represent another risk for privacy.
• While unsubscribing from the platform, the users request to remove their profile, but
some data might still remain, either personal information or pictures posted on the
profiles of other users.
Furthermore there is in Spain a specific protection for children who are massive users
of such online services. They enjoy a higher status of protection insofar as the intervention
of their parents or guardians is required in many circumstances.
During the past few years, the level of awareness regarding the protection of privacy and
personal data has been increasing. A law related to those matters has been published:
the Spanish Ley 34/2002, de 11 de julio de Servicicios de la Sociedad de la
Información y del Comercio Electrónico (the Act 34/2002, of July the 11th, regulating
The Services of the Information Society and the E-Commerce hereinafter referred LSSI-
CE). It considers the new social reality implied by the use of TIC in general, and by the
Internet in particular, and it provides a normative basis to regulate the Internet and its
services, in a complete and effective way.
However, as stated in the survey, the adaptation of the legislation is more and more
complex due to the rapid growth of new services associated to the Information Society,
such as social networks. Therefore, it is necessary to initiate and develop a new concept
Instituto Nacional
de Tecnologías
de la Comunicación
of “Technological Law”, based on R&D, ensuring the protection of the users without
hindering the development of such services.
Protection of personal data
The fundamental right to data protection is specifically regulated by the Article 18.4
of the Constitution, unlike the right to privacy, and it gives its holder the legal power to
“control the use that is made of his/her personal dada, including, among others,
preventing their personal information from being used for other purposes than the ones for
which it was obtained” 4 .
Given the large amount of personal data that the users publish on their profiles, these
ones are turning out to be genuine “digital identities” providing a quick understanding of
the users preferences, habits, etc.
The protection of personal data has been widely developed at the European and national
level. In Spain, a specific legislation has been implemented through the Spanish Ley
Orgánica 15/1999 de Protección de Datos de Carácter Personal (Organic Law
15/1999 on Data Protection, hereinafter referred to as the LOPD, and through the Royal
Decree 1720/2007 of December the 21th, which approves the Regulation on the
Implementation of the Organic Law for Data Protection hereinafter referred to as the
RLOPD). An extensive effort of interpretation has been realized by the Agencia Española
de Protección de Datos (Spanish Data Protection Agency) which had solved cases of
violation of data protection rights, derived from the use of the new services offered by the
Information Society. These resolutions guarantee the users the best protection of their
rights.
However, as underlined during the interviews and the discussion groups, the protection of
personal data is particularly difficult when it comes to social networks since they are
based on the publication of data by the users themselves. Thus, among the potential
risks for the protection of personal data are included:
• Cases of phishing and pharming. Both are pretty much exploited by cyber-criminals
to collect the personal or economical data of Internet users (credit cards, PIN, etc.).
• Social Spammer and spam. The use of social networks as platforms for sending
undesired emails.
• Non-authorized indexing by the Internet search engines.
4
Extract of the Constitutional Sentence 292/2000.
Instituto Nacional
de Tecnologías
de la Comunicación
• Uncontrolled access to profiles. Most social networks publish completely the

information in profile of users, or at least a part of it, so any user of the social
network can access to personal information without the owner’s express consent.
• Identity stealing. It is more and more common for users who had never registered for
online social networks, to realize while doing so that their “digital identity” is already
being used.
• Hyper-contextualized Advertising. This gives a priori an advantage to the users since

it prevents the display of irrelevant and even offensive contents while navigating.
However, from a legal point of view, it could be considered as an illegal practice,
because, in order to contextualize the advertising, the data and preferences of the
users are being examined.
• The installation and the use of “cookies” without the consent of social network users.
Another possible risk related to their participation lies in the possibility that the
website uses cookies enabling the platform to know about the users activities.
Thanks to these tools, social networks can know the place from which the user is
connected, the connection time, the device from which he/she accesses the platform
(fixed or mobile), the operational system he/she uses, the most visited pages within
the website, the number of clicks made, and many other data regarding the user’s
life in the network.
Regarding the existing measures related to the protection of personal data for particularly
vulnerable groups - minors and legally incapacitated- the particular importance of the
Royal Decree 1720 / 2007 should be underlined. It stipulates that the providing of
personal data for minors under 14 years old requires the consent of their parents or
guardians.
In addition, this rule explicitly states that the obtaining of the child’s consent should be
simple and easily understandable and that no information concerning his/her friends and
relatives could be asked to him/her.
Protection of intellectual property
Regarding the protection of intellectual property in such platforms, it has been underlined
that there is an increasing number of protected contents that are being used, shared and
disseminated through social networks and collaborative websites without the authorization
of their owner.
The protection of intellectual property is the right that the author has on his/her literary,
artistic or scientific work.
Instituto Nacional
de Tecnologías
de la Comunicación
In Spain, the Act on Intellectual Property grants the authors exclusive rights on their
work, meaning that any reproduction, transmission or publication of their work must be
done with their authorization. Both the national and European legislation are very strict so
that nobody can exploit intellectual property rights without permission from the author.
However, when it comes to the violation of the rights on intellectual property, we must
distinguish between the situations where it is the users who are actually infringing the law
and the ones where social networks do so through their General Conditions.
Social networks, while trying to fight against the unauthorized distribution of contents
through their platform, have implemented automatic mechanisms for the users to self-
regulate the contents published on the network. They allow the user to “denounce”
contents that do not meet the conditions for registration or that violate both the rights the
users have over their works, or the ones of third parties.
Protection of consumers and users
It has to be considered that one of the main advantages of such platforms is the ability to
obtain economical benefits from advertising and from the applications developed by the
users of the network. The easiness with which users can advertise or can receive
announcements of products and services is tremendous compared to the physical world.
The commercial success of online advertisement is also increased by the facility with
which the products and services can be marketed at distance, and by the fact that social
networks have a database of users (potential costumers) perfectly segmented by
preferences and profiles.
As noted from the interviews and round tables conducted with users and legal experts, the
increased collaboration of the users in identifying and controlling the kind of advertising,
products and services sold through the network, have helped raising the level of users´
security.
Similarly, it is essential for the proper development of the Information Society and for the
sale of products and services through social networks to be successful, that potential
customers have full trust in the website. This one must observe and comply with the
current legislation, and the needed technological requirements.
III Proposals and recommendations to the parties involved in social networks.
After analyzing the data collected during qualitative research, a series of

recommendations have been developed. They are addressed to social networks and
collaborative platforms, ISP (Internet service providers), manufacturers and service
providers of computer security, public administrations and associations, and users:
Instituto Nacional
de Tecnologías
de la Comunicación
• The Industry
Social Networks and Collaborative Platforms: The proposed general recommendations

focus on: a) the compliance of their services with the European and national legislation, b)
on the legal implications of some specific activities, c) on the identification of the
technological tools required for their services and d) on the awareness regarding the need
for increased security measures and the need for the protection of users.
Regarding the specific recommendations:
Security and technological recommendations
1. Transparency and easiness to access the information
o It is essential that these platforms expose all the information on their services
in a clear and understandable way, so that the language used in their
conditions of use and privacy policies is absolutely understandable for any
user.
o It is essential that social networks emphasize within their homepages a

specific section dedicated to inform their users.
o It is recommended to create “microsites” 5 with direct access from the

homepage of social networks in which the information is exposed through
“FAQs” and multimedia contents.
o It is essential that social networks maintain their Privacy Policy and Terms of
Use without major changes.
2. Ensure user control over the processing of the data and information published on the
web by making available the largest number of tools aimed at enforcing their rights
in an automatic, simple and quick way.
3. Set, by default, the highest level of security and privacy settings.
4. Ensuring the security of the platform. The proper choice of their Internet service
provider (ISP) is vital so that it will ensure the highest level of security: secure
servers, backup facilities and secure access, among others.
5. Deletion of information after a reasonable time.
5
Small pages Web, with specific contents that depend on a main one..
Instituto Nacional
de Tecnologías
de la Comunicación
6. Respect of the rights to register and unsubscribe.
Recommendations on training and awareness
1. Internal development of websites aiming at making available the maximum level of

information possible regarding the treatment of personal data and the implications
that may arise from the publication of contents on social networks.
2. Make available to users information on the security measures that have been
implemented on the platform and the possible actions they may take in case of
violation of their rights.
3. Given that the vast majority of generalist social networks users are underage, it is
crucial that social networks and collaborative platforms, together with public
authorities, associations and organizations whose purpose is the protection of such
groups, lead out joint initiatives to promote the formation of underage users and their
guardians about the security of users, investigating the technological opportunities
that exist to achieve the identification of users´ age
4. Volunteer programs within the company to collaborate with schools and training
centers in order to spread the importance of security and to report the main
recommendations to be considered in the use of such services.
Addressed to manufacturers and providers of computer security
Manufacturers and suppliers of security must take into account two key aspects to
achieve the highest level of security: a) the prevention of online fraud, and b) research
and development of secure technological tools. In this way, it is recommended to promote
in the sector the following aspects:
1. That the marketed applications implemented in social networks have been

developed, revised and evaluated in accordance with the quality, security and
privacy standards that guarantee their use is respectful and secured towards the
users´ rights. Their proper functioning should also be reviewed.
2. The companies dedicated to security should encourage the interoperability of

their security systems, promoting the implementation of standard protocols and
systems in social networks that will guarantee the compliance of pre-established
codes of conduct.
3. In this respect, it is recommended to collaborate directly with the Security Forces

of the State in the investigation of new situations of risks for the users, in order
Instituto Nacional
de Tecnologías
de la Comunicación
to develop applications able to detect, act and counteract any unfavorable situations
for the users of the platform.
4. It is recommended to the manufacturers and the providers of computer security to be

proactive when detecting malicious programming codes (“malware”) that allow
security holes in the platform, as well as when elaborating Black Lists, in which
will be included the domain names that are presenting unauthorized contents, or
that don’t abide by the security criteria previously mentioned.
5. It is recommended for the manufacturers to develop security patches and

updates to guarantee that the persons in charge of the platform as well as the users
are using entirely updated and secure applications.
6. In this respect, it is recommended for these manufacturers to develop applications

that comply with international standards.
7. It is recommended to develop remote applications that allow parents to have

complete control over the contents and the operations realized by underage
users on the Internet.
8. To include in the technical descriptions of the software processing personal

data, the technical description of the basic, medium and high security level
mentioned by the LOPD (Legislation on the personal data protection).
9. It is also recommended for the manufacturers of security software together with the
relevant public administration to encourage the development of tools dedicated to
reduce the reception of spam through social networks and similar platforms.
Addressed to providers of Internet access services (ISP)
The proposed recommendations for this Group include:
1. Create a platform for secure and reliable communication with the Security Forces of
the State and Judicial authorities.
2. The full support and assistance to the Security Forces of the State.
3. Provide information to users and costumers about the security measures that
maintain the connection service.
4. Immediately address the complaints when received.
Instituto Nacional
de Tecnologías
de la Comunicación
Addressed to administrations and public institutions.
Normative point of view:
Regarding the protection of personal data, among the proposals, are included the
following aspects:
• Global Legal Security: that promotes at the international, or at least at the

community level, basic regulatory principles.
• It has to be implemented and strengthened penalties for those platforms or users

who illegally obtain information.
• It is recommended for the public authorities to work for a uniform international law on
personal data protection, honor, privacy and image.
Intellectual Property:
• Encourage, or oblige, this kind of platforms to make public or al least to emphasize

that the contents published on their network will become their property, before users
publish any content on this one.
• It is recommended for competent authorities to promote direct agreements between

the audiovisual and music industries, and the main content delivery platforms.
• It is recommended for the service providers of the Information Society to implement

automated, free, simple and effective tools for the owners of works protected by
intellectual property rights to denounce unauthorized contents.
• To ensure fair compensation for copyright holders.
Costumers and Users:
• It is recommended that the legislation clearly states which authority is competent to

deal with complaints from consumers and users.
• Promote effective and efficient mechanisms regarding the possibility of blocking

access to online platform.
Executive and administrative point of view:
• Specific training in technological law for judges, magistrates, prosecutors and court
clerks.
Instituto Nacional
de Tecnologías
de la Comunicación
• It is necessary to equip the technological squads of Security Forces, belonging to

the State, the autonomous communities or the International community, with
technological tools that will allow them to investigate, to maintain the chain of
custody for electronic evidence and to block situations that will be susceptible to
cause a damage to the users of social networks and collaborative platforms.
• Development and articulation of fast and free judicial proceedings so that users will
be better protected.
Formative and Informative point of view:
• Conduct awareness campaigns on the risks represented by the spreading of

personal data in social networks.
• Conduct training workshops and outreach programs related to security.
• Create classes on data protection and security on the web.
• Conduct awareness-raising and promotion campaigns on the security on the Internet

through the media 2.0.
Addressed to users and associations
After specified is a series of recommendations addressed to the users of social networks

and collaborative platforms, which have the objective to inform them upon the benefits
these kinds of services might bring but also the damageable -but easily avoidable-
situations they might be confronted to while using them.
1. It is recommended for all users to use pseudonyms or nicknames, enabling them

to have a genuine “digital identity”.
2. It is recommended for the users to be especially careful when publishing

audiovisual contents and graphics on their profiles since they may put at risk their
privacy and the privacy of those around them.
3. It is recommended to review and read before registering as a user, the conditions

of use and the Privacy Policy of the platform.
4. It is recommended to configure adequately the degree of the profile privacy in the

social network, so it is not completely public but only available to those that have
been cataloged as “friends” or “direct contacts” previously by the user.
5. It is recommended to accept as a contact only the persons, which are known.
Instituto Nacional
de Tecnologías
de la Comunicación
6. It is recommended not to publish in the user profile contact information, allowing

anyone to know where the user lives, works or studies and the daily or leisure
places that the user usually attends.
7. For the users of microblogging tools 6 it is recommended to take special care

regarding the publication of information on places that are at all times.
8. It is recommended to use and disclose only the contents the user has rights upon.
9. Users are encouraged to use different usernames and passwords while entering
social networks they are a member of.
10. It is recommended using passwords with a minimum length of 8 characters,

alphanumeric, with and without capital letters.
11. It is recommended that all users have on their computers antivirus software
properly updated.
12. Underage users should not reveal personal information. It should never be
provided data to strangers.
13. All information concerning the website should be read. It has to be explained who
are the owners and the purpose for which the data are required.
14. If the user is under fourteen, is also required the consent of the parents or
guardians. In these cases, their consent will be request while
subscribing/accepting friends, etc.
15. The users should not communicate to others their usernames and password, or
share them with friends or classmates. These data are private and should not be
communicated to third parties and / or unknown persons.
16. Whenever there are any questions regarding any situation arising from the use of
social networks and collaborative tools, it has to be asked to the parents or
guardians.
17. The computer must be kept in a common area of the house.
18. There should be some rules on the use of Internet at home.
6
This type of platforms is based on the constant update of the user profiles. More information where be
abaible at Chapter 3 of this document.
Instituto Nacional
de Tecnologías
de la Comunicación
19. Parents should explain the benefits and the risks of such platforms to their
children.
20. Activate the parental control.
21. Ensure that age verification controls are implemented.
22. Ensure the correct implementation of the unapropiated content blocker.
23. Teach children about security issues.
24. Explain to children that they must never meet anyone they have met online and if
they do so their parents or guardians must always accompany them.
25. Ensure that the children know the risks and implications of hosting content as
videos and photographs, as well as the use of webcams through social networks.
26. Check the user profile of the children.
27. Ensure that the children only access to the pages recommended for their age.
28. Ensure that the children do not use their full name.
Instituto Nacional
de Tecnologías
de la Comunicación
1 INTRODUCTION AND OBJECTIVES
1.1 Presentation
1.1.1 Spanish National Institute of Communication Technologies (INTECO)

The Spanish Instituto Nacional de Tecnologías de la Comunicación (INTECO): The
Spanish National Institute of Communication Technologies, sponsored by the Ministry o
Industry, Tourism and Trade, is a platform for the development of the Information Society
through innovative and technological projects: firstly, to contribute to the convergence of
Spain with the European Information Society, and secondly, to promote regional
development.
The mission of INTECO is to promote and develop innovative projects related to the field
of Communication and Information Technologies (TIC) and the Information Society, in
order to improve the position of Spain in Europe and to provide the country new
competitive advantages, by extending its abilities in both the European and the Latin
American environment. Thus, the Institute intends to be a development center of strong
public interest aiming at developing the use of new technologies in Spain.
The social objective of INTECO is the management, counseling, advocacy and spreading
of technological projects related to the Information Society. To do this, INTECO develops
actions that follow the strategic lines of a) the Technological Security, b) the Accessibility
and c) the Software Quality.
El Observatorio de la Seguridad de la Información: The Information Security

Observatory is inserted into the strategic line of actions of INTECO for Technological
Security.
The Observatory aims at describing in detail the level of security and trust regarding the
Information Society. It seeks to generate expertise in the area. Thus, it is at the service of
the citizens, the companies and the Spanish administration to describe, analyze, and
spread the culture of Information Security and e-Trust.
The Observatory has designed an Activities and Researches Plan in order to produce
useful knowledge and expertise related to security on the Internet and to develop
recommendations and proposals to define trends that will be valid for future decisions of
public authorities.
Within this action plan are carried out researches, analysis, studies, counseling and
outreach to address, inter alia, the following aspects:
Instituto Nacional
de Tecnologías
de la Comunicación
• Development of internal studies and studies on the Security of TIC, with special
emphasis on the Internet Security.
• Monitoring of key indicators and of public policies related to the security of

information at the national and international level.
• Creation of a database to enable the analysis and evaluation of the security and
trust with a time perspective.
• Promotion of researches on secure technologies.
• Spreading of studies and reports published by other entities and national and
international organizations, as well as of information on current national and
European policy on security and trust regarding the Information Society.
• Advising the government on the security of information as well as supporting the

development, monitoring and evaluation of public policies in this field.
More information: http://www.inteco.es
More information: http://observatorio.inteco.es
1.1.2 Spanish Data Protection Agency

The Spanish Data Protection Agency is an entity that operates independently from the
government and that aims at enforcing and implementing the provisions contained in the
Spanish Ley Orgánica 15/1999 de Protección de Datos (Organic Act 15/1999 on
Personal Data Protection, hereinafter refered to as the LOPD) and its implementing rules.
Its functions are to ensure the compliance with the data protection legislation and to
monitor its implementation, particularly regarding the rights to information, access,
rectification, opposition and cancellation of data.
Among its functions may be underlined the following points:
An obligation to answer requests and complaints that may be made by those

affected by this issue.
The power to sanction violations that may be committed in this field.
Statistical data collection.
Informing on the standards impacting the protection of data.
Issue instructions and recommendations for a proper compliance with the LOPD.
Instituto Nacional
de Tecnologías
de la Comunicación
More information: http://www.agpd.es
1.2 Contextualizing the study
Nowadays Internet is an arena of social relationships based on the increasing involvement

of its users in:
• The editing, validation and publication of contents in various formats: text, audio,
video.
• The specialization of the published contents. The websites are segmented in a

variety of communities ranging from pure entertainment to professional life. Users
are also segmented by groups of age: teenagers, adults, etc.
The technological and social changes have contributed to the establishment and the
growth of this new popular form of creation based on the collaboration and the access to
information.
The current trend on the Internet is now to focus on the user- through forums, blogs, wikis
and social networks- in other words, all those utilities and services that are based on a
database that the users may change while processing the contents (adding, changing or
deleting information).
Unfortunately, these social spaces are not free from danger or possible malicious attacks:
• The user provides a series of personal data to register for these sites that are
protected by the Spanish law. Moreover, the very nature of these sites means that
their users will include extensive information about their preferences and needs,
which also has to be protected, especially in the case of underage users and
persons without legal capacity to act.
The fact that social networks are based on the principle of making publicly
available the maximum amount of information, causes, both directly and indirectly,
the emergence of innumerable legal problems only partly covered by the Spanish
legislation.
• Some of the most representative sites have been targeted by online fraud. There
have been situations where a person steals the identity of a legitimate company or
a trusted friend, in order to obtain personal information, PIN or credit card
numbers.
• It is common for users to use the same password for the different virtual
communities they belong to, which means that a violation of one of them can affect
Instituto Nacional
de Tecnologías
de la Comunicación
all the data they have provided in their communities. The situation is exacerbated
when users use the same password to manage their financial activity.
In this context, the users´ security (especially underage and legally incapacitated users)
and the security of information, as well as the protection of privacy and personal data will
constitute the most relevant part of the analysis.
Indeed, it becomes necessary to conduct a study that will examine, investigate, and
develop on:
a) The security,
b) The legal and social aspects and
c) The technological characteristics
of the social networks that operate in Spain, with a specific attention to their effects and
their use by underage people.
This study will also revealed the different opinions shared by the sector in order to guide
future private or public initiatives aiming at reaching a good balance between the potential
of these new tools, their limits and the rights of their users.
1.3 Objectives of the Study.
The overall objective of the study is to develop an analysis on the security of social
networks and collaborative platforms, with a specific attention to underage and legally
incapacitated users, through an assessment and a diagnosis of a) their legal,
technological and sociological aspects, b) the security of their contents, c) the agents
participating in them, d) the privacy and the data protection of the users who are related to
each other through these websites.
This overall objective will be divided into specific sections:
• Legal analysis of social networks to determine the legal responsibilities and

obligations of these service providers in Spain.
• Comparative study on the laws affecting these platforms for the European Union and
for the U.S. with a particular attention to the penetration of social networks in these
countries as well as to the legislative initiatives and projects related to them.
• Analysis of the different actors involved in the collaborative webs (ISP, advertising
agencies, content agencies, etc.) regarding their legitimacy and their responsibility in
the functioning of these platforms.
Instituto Nacional
de Tecnologías
de la Comunicación
• Technological and sociological analysis of social networks, which will describe the
functioning of these new forms of social interaction: flow of information and tools to
share contents and communicate with other users.
• Analysis of the privacy and data protection of the users and the people who maintain
relationships through social networks.
• Analysis of the security: assessment of the specific risks that might arise from the
use of these websites especially for underage and legally incapacitated users.
• Analysis of the specific case of underage and legally incapacitated persons

regarding the protection of their personal rights and the protection of their honor,
privacy and image.
• Delimitation of the potential threats and risks while using this kind of collaborative
networks. Measures to reach the proper balance between the possibilities of these
tools, their legitimacy and the protection of the privacy and the data of the users.
With the achievement of these objectives, we want to provide information and

recommendations for action regarding the legal, technological and security aspects of this
kind of platforms.
1.4 Methodology
The methodology used for this survey has been designed with the following objective:
providing updated information on the situation and the vision of the users, the industry and
the public sector, as well as providing the most rigorous analysis on the legal and
technological aspects affecting social networks and collaborative websites.
The study and the analysis was developed in different phases:
1.4.1 Phase I. Data Collection and Fieldwork

The objective of this phase was to obtain as much information as possible regarding the
phenomenon of social networking. The following tasks have been realized:
1. Documentary search for resources related to social networks
a) Official documentation published by the European Union and International

institutions 7 .
7
Among others: Grupo de Trabajo del Artículo 29; European Network and Information Security Agency, Foro
de Cooperación Económica Asia Pacífico (APEC), etc.
Instituto Nacional
de Tecnologías
de la Comunicación
b) Studies released by private entities.
c) Statistical analyses of social networks.
d) Articles and news.
2. Identification of the main actors involved in the phenomenon of social networks in

Spain. Their level of compliance with the national legislation and their specific aspects
will be considered later in the studies.
3. Conducting a Survey of 2.860 Internet users (over 15 years old) on the use of social
networks between April and June 2008 8 .The characteristics of the fieldwork for this
survey are described bellow:
• Population of concern: Spanish users with frequent access to the Internet from
home (at least once a month) and older than 15 years old.
• Sampling method and distribution: We have extracted a representative sample

of 2.860 Internet users, according to the following model:
o Stratification by Autonomous Communities to ensure their proper

representation.
o Sampling by quotas (household, age, sex, activity and resources 9 ).
8
Quantitative results obtained from the sample are based on opinions and perceptions of the surveyed users.
9
Provided by Red.es, a public company belonging to the Ministry of Industry, Commerce and Tourism. (“TIC
in Spanish homes: 11th Wave-October 2006”).
Instituto Nacional
de Tecnologías
de la Comunicación
Table 1: Sampling by Autonomous Communities (%)
Autonomous Communities Obtained Sample Theoretical Sample

Andalusia 15.2 15.2
Aragon 3.5 3.0
Asturias 3.6 2.5
Balearic Islands 1.9 2.7
Canaries 4.3 4.7
Cantabria 1.4 1.3
Castille-La Mancha 3.0 2.9
Castille and Leon 6.2 5.4
Catalonia 17.0 18.5
Basque Country 5.1 4.7
Extremadura 1.6 1.4
Galicia 6.4 4.5
Madrid 16.8 18.6
Murcia 2.2 2.5
Navarre 1.0 1.4
La Rioja 0.4 0.7
Valencian Community 10.2 10.0
Source: INTECO
Instituto Nacional
de Tecnologías
de la Comunicación
Table 2: Sampling by Socio-demographic Categories (%)
Obtained Theoretical
Concept Sample Sample
Activity
Workers 83.9 71.7
Unemployed 7.8 4.6
Students 3.2 16.1
Retired 2.7 3.0
Others/Inactive 2.4 4.6
Household
1 8.2 3.2
2 22.6 15.4
3 24.3 28.7
4 and more 45.0 52.7
Sex
Man 51.0 53.7
Woman 49.0 46.3
Resources
More than 20.000 28.1 24.8
From 20.001 to 100.000 24.8 24.1
More than 100.000 47.2 51.1
Age
Up to 24 21.6 23.4
25-35 37.1 28.2
35-49 32.4 31.8
50 y more 8.8 16.6
Sampling base =2.860 Source: INTECO
• Capture of information: Online interviews from a panel of Internet users with a

total of 2860 respondents.
• Fieldwork: Carried out between April and June 2008.
• Sampling error: According to the criteria of simple random sampling for

dichotomous variables in which p=q=0.5 and with a confidence level of 95.5%,
the following calculation of sampling error is:
Total sample n= 2.860, sampling error ±1.87%.
4. Conducting in-depth 35 interviews:
a) Responsible for various legal and technological social networks.
Instituto Nacional
de Tecnologías
de la Comunicación
b) Social Networks users.
c) Professionals in the field of Technological Law and Information Security.
d) Public institutions and non-profit organizations.
5. Creation of 3 discussion groups:
a) A “Legal and Information Security” Group.
b) A Group of social network users.
c) A Group of underage users of social Networks.
1.4.2 Phase II. Information Analysis.

Following the completion of the fieldwork and the collection of the information available on
the phenomenon, social networks have been analyzed from the following points of view:
Legal Aspects
• Protection of the rights to honor, image, intimacy and privacy.
• Protection of Personal Data.
• Protection of consumers and users.
• Protection of intellectual property.
• Protection of underage and legally incapacitated users.
• Protection of workers.
Aspects related to the information security.
• Security systems configured by the websites.
• Systems for the internal protection of users and contents. Systems of complaints.
• Systems for anticipated settlement.
• Systems for the protection of underage and legally incapacitated users.
Aspects related to the business models and the means of exploitation
• Creation of social networks.
Instituto Nacional
de Tecnologías
de la Comunicación
• E-commerce through social networks.
• Value chain.
• New business lines and problems related to their security.
Aspects related to the social perception of social networks
• Social networks as a new form of social contacts.
• Social networks and trend creation.
• Sociological dangers generated by social networks.
The analysis of social networks is based on all those aspects. These platforms can be
considered as a new social reality by which the users could develop themselves as
individuals.
The analysis also focused on the industry. It highlights its key challenges and
vulnerabilities.
1.4.3 Phase III. Recommendations and conclusions

After analyzing and classifying the collected information, and after clarifying the results of
the interviews, we detected a certain number of patterns related to the opinions of social
network users and the purposes of these platforms.
The recommendations focus on the best ways to improve social networks, and also on the
correct use of these ones by their users. Thus, the recommendations are addressed to:
• The industry: recommendations to handle the main problems detected while

realizing the studies and conducting the interviews and discussion groups.
• Public administrations: recommendations to the various organs of the

administration in order for them to have the necessary knowledge to better protect
the interests of social networks users.
• Users and associations: recommendations for them to have valid information on

how to operate while using social networks.
The conclusions of the document aim at dealing with the largest number of situations that
might be encountered in the field of social networks.
Instituto Nacional
de Tecnologías
de la Comunicación
1.5 Content Structure
This study is divided into the following parts:
Situation and definition of social networks
Offers a clear and simple overview on the current situation of the sector (the existing
social networks and the key business models) in order to better understand the
problematic rose by these platforms and their position on the market.
Analysis of the most relevant aspects and the specific problems of social networks.
This section evokes the main rights protecting the users of social network especially those
of the third Group (underage and legally incapacitated users) and the workers.
The analysis focuses on the legislation, the applicable protective measures and the
attitudes of social networks regarding these aspects. It has been divided into four fields:
• The right to honor, privacy and image: the actions of both users and networks are
taken into account. The analysis goes beyond the sphere of data protection, e.g.
transfers of images for commercial purposes.
• Protection of personal data: we studied the activities of different social networks,

taking into account inter alia: the kind of users, the collected data and the way to
process them.
• Intellectual and industrial property: from the perspective of intellectual property,

the transfers of rights via collaborative platforms and their applications have been
studied. From the perspective of industrial property, the uses of trade names and
trademarks by the platforms and their users have been examined.
• Consumers and users: The various defensive measures available to the users of
social networks have been discussed.
Recommendations and conclusions
The recommendations focus on the best ways to improve social networks, and also on
the correct use of these ones by their users. These recommendations are addressed to
the industry, the government, the users and their representative associations.
The conclusions have been specifically drafted to apply to the largest number of situations
related to social networks and collaborative websites.
Instituto Nacional
de Tecnologías
de la Comunicación
2 SITUATION: DEFINITION OF SOCIAL NETWORKS
This chapter provides an overview on the current situation of various social networks, the
kind of networks available for the public and the main business models used in this sector
in order to understand the situation and the problems related to this kind of platforms and
their current position on the market.
2.1 Characterizing Social Networks.
2.1.1 Theoretical Basis

Social Networks refer to online platforms from which registered users can interact, share
information, images or videos, allowing these publications to be immediately accessible by
all the users of their group.
The analysis of social networks has been appearing in many social studies during the past
twenty years: they are considered as a new tool for analyzing individuals and their social
interactions. Since they focus on the personal and collective relationships and not on the
characteristics of the individuals (race, age, income, education) they have been used to
study the habits, tastes and ways of interacting among social groups.
Any social networks is based on the theory of six degrees of separation 10 , according to
which any individual can be connected to any other person on the planet through a chain
of acquaintances with no more than five intermediaries (with a total of six connections)
The number of acquaintances increases as do the links in the chain. Individuals in the first
degree are the closest friends and familys. As the degrees of separation increase, the
relation and the trust decrease.
The Internet and the development of powerful software applications enabling the creation
of platforms dedicated to the exchange of information and the interaction between
individuals have meant a real revolution favorable to the emergence of the concept of
social network, as it is known today. The universality of the web enables to quickly expand
the number of contacts and to build closer ties between users who have common
interests.
2.1.2 Origin and evolution

The first social network was created in 1995, when Randy Conrad conceived the website
“classmates.com”. This social network was intended for the users to retrieve or keep in
touch with former colleagues from school, institute, university, etc.
10
Theory developped in 1929 by the Hungarian writer Frigyes Karinthy. Also mentionned in the book “Six
Degrees: The Science of Connected Age” of the sociologist Duncan Watts, who says that anyone is accesible
on the planet in only six jumps.
Instituto Nacional
de Tecnologías
de la Comunicación
In 2002 websites that promote networking among circles of online friends began to
appear, gaining popularity in 2003 with the creation of websites like MySpace or Xing.
The popularity of these platforms has grown exponentially. Large multinational companies
then developed new projects taking advantage of the success of social networks: for
example, Orkut by Google or Yahoo! 360º by Yahoo!. Then focused social networks had
begun to appear 11 .
Table 3: Social Networks
1995 Classmates
1997 SixDegress
2002 Friendster Fotolog
2003 MySpace LinkedIn Hi5 SecondLife
2004 Orkut
2005 Yahoo!360º Bebo
2006 Facebook Twitter Tuenti
2007 Lively
Source: INTECO based on Panda Security
The increased popularity of social networking was parallel to the increasing number of
websites dedicated to the exchange of contents. This converted the Internet as a new
mean for social interactions, entertainment and sharing contents. At the earliest stage,
users where considered as mere consumers of contents created by others. Now they can
create their own contents with a computer, a connection to the Internet and basic
knowledge in Internet use.
The expansion of this phenomenon had been measured lately by the Universal McCann
Study (3rd Wave Study of the Power to the people social media. March 2008), which
estimated the number of social networks users to be 272 million. It represents 58% of the
registered Internet users worldwide, and an increase of 21% compared to the data
recorded in June 2007.
In Spain 12 , as underlined in the Universal McCann Study, 44.6% of the Internet users are
using these services (Graph 1) to be connected with their friends and close family, or to
11
In Spain, some social networks (Minube.com, Patatabrava.com, Moterus.com, VIVO.com) are dedicated to
specific sectors such as travelling, motorcycles and entertainment.
12
Even if the sources of information are diverse, they all agreed that, for 2008, the number of Internet Spanish
users who are regularly using social networks is around 40 to 50%. It was, for example, 50% according to Zed
Digital (The Phenomenon of social networks. Perception, uses and advertisment. November 2008) or 45%
according to The Cocktail Analysis (Observatory for the assessment of social networks. Online communication
tools: Social networks. November 2008).
Instituto Nacional
de Tecnologías
de la Comunicación
look for persons they lost contact with. Applying this percentage to the data registered by
the Wave XX from Red.es, which highlighted that “between January and March 2008,
around 17.6 million of people have used the Internet the month before”, it is estimated that
7.85 million regular users -above 15 years old and that had Internet connection during the
last month- are using social networks 13 .
Graph 1: Percentage of Social Network Users in Spain. March 2008.
44.6
53.4
Use Don't use
Source: INTECO based on Universal McCann
These new services are configured as powerful channels of communication and

interaction, allowing the users to act as segmented groups (for entertainment,
communication, professional life, etc...) The network is consolidated, therefore, as a space
to build relationships, communities and other social systems in which participation is
motivated by reputation.
2.1.3 Definitions
The concept of social network has been widely discussed by professionals from different
sectors, and there is currently no absolute and widely accepted definition.
13
In this sense it is possible to indicate that in 2008, a study realised by the company of market studies
comScore revealed that 8.828.000 Spaniards belonged to some of these networks. Más información en:
http://advertising.microsoft.com/espana/estudio-comscore-para-las-redes-sociales
Instituto Nacional
de Tecnologías
de la Comunicación
Before examining the concept of social network, it is necessary to differentiate traditional

social networks from online social networks 14 .
A social network primarily designates a form of interaction between people and / or

communities of people. Here are some definitions of social networks:
”Forms of social interaction, which are defined primarily by the dynamic exchange
between their subjects. Networks are open systems of individuals who can be identified by
the similitude of their needs and problems. Networks, therefore, stand as a form of social
organization that allows a group of people to enhance their resources and that contributes
to solve their problems” 15 .
“Networks are forms of social interaction, defined as a dynamic exchange between

individuals, groups or institutions, involving similar individuals identified by their needs and
issues and that are organized to leverage their resources” 16 .
“On the overall, the concept of network is used to refer to two phenomena: networks are
on one hand considered to be a set of interactions that occur spontaneously, and on the
other, and this is the most interesting aspect, networks aim to organize these
spontaneous interactions with a certain degree of formality, for the establishment of
common interests, problems, questions, and goals” 17 .
Given the importance of this phenomenon, the International Group on Data Protection in
Telecommunications in Berlin agreed on the “Rome Memorandum 18 at its meeting of
March 2008. “One of the challenges that can be observed is that most of the information
published on social networks, is done under the initiative of users and based on their
consent”. The Memorandum also analyzes the risk for privacy and security represented by
social networks, and underlines that these ones do not provide “free services” since their
users are paying through secondary uses of their profiles such as targeted marketing.
14
Although the concept of social network is used interchangeably to designate online social networks and
traditional ones, this is an error that may cause a distortion of the subsequent analisis.
We can say that social networks are online “services involving the creation of online communities of people
who share interests, activities, and who learn from others”
15
From "Network. An approach to the concept. " Marta Rizo García, Autonomous University of Mexico City.
16
From the "Castilla y León 2.0. Towards the Information Collaboration. " 2008 edition
17
From the article "Networks. An approach to the concept” "by Marta Rizo García, Ph.D. in Communication
from the Universidad Autonoma de Barcelona and professor-researcher of the Academy of Communication
and Culture and of the Studies Center on the City the Universidad Autonoma de Mexico. Member of the
Training Network on Communication Theory and Comunicología (REDECOM, Mexico) and the Network for
Studies in Cyberculture and TIC (RECIBER, Mexico).
18
http://www.datenschutz-berlin.de/attachments/461/WP_social_network_services.pdf
Instituto Nacional
de Tecnologías
de la Comunicación
The European Network and Information Security Agency (ENISA) published in October
2007 some "Recommendations for the security of online” 19 social networks", addressed to
th providers of social networks and to the organs that legislate in this field, that
recommended to invest in the education of social network users and to promote a greater
control while accessing the services.
We can conclude from the above considerations that: "Social networks are online services
provided through the Internet that allow their users to generate a profile where they can
publish data and personal information; that provides tools to interact with other users; and
that allows to locate them according to the characteristics published in their profiles”
2.1.4 Keys to success

The following aspects led to the success of this online phenomenon:
The growth of these platforms is primarily based on the technique known as “word of
mouth” or viral 20 process in which an initial number of participants invites their friends to
join the website via mail. New members repeat the process, rapidly increasing the total
amount of member. The
19
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf
20
When talking about viral process regarding social networks, it refers to the ability of such networks to reach
a maximum growth of users in the shortest time possible. This is a concept that is directly related to marketing
Instituto Nacional
de Tecnologías
de la Comunicación
Graph 2 illustrates this idea. In Spain, more than one-third of social network users
(37.0%) has more than 50 contacts, 19.4% has from 51 to 100 contacts and 17.6% has
more than 100. Only one-fifth (21.5%) has less than 10 contacts, which gives an idea of
the level of dispersion and the rate of penetration of these services.
Instituto Nacional
de Tecnologías
de la Comunicación
Graph 2: Number of contacts by social network users in Spain. October 2008
17.6%
21.5%
19.4%
41.5%
Menos de 10 De 10 a 50 De 51 a 100 Más de 100
Source: INTECO based on Zed Digital
Social networks offer various applications and features, including: automatic address book
from email accounts, public profiles visible to all visitors, etc. These applications are
based on three variables known as the "3Cs":
o Communication (sharing of knowledge).
o Community (finding and integrating communities).
o Cooperation (doing activities together).
Social networks focus on getting their members to use online media to convene
events and actions that will have an impact on the offline world. Good examples of
this are the "Shopping Social Networks," through which users can share their views,
tastes and experiences about certain products and services and can arrange to shop in
large groups in order to get discounts. This kind of network also allows users to receive
recommendations for activities in their daily lives (recommendations for leisure, dining,
etc.) according to the user preferences.
2.2 Typology of social networks
Social networks can be categorized according to their targeted public, or the kind of
contents they publish. There are, at least, two main social network groups: generalist and
professional.
Instituto Nacional
de Tecnologías
de la Comunicación
Although each one has a certain number of specific aspects, both share common
structural features:
• Their primary purpose is to allow people to make contacts and to interrelate. The
platform makes it easy and quick to keep in touch with other users.
• They allow interaction between all users of the platform, either by sharing
information, allowing direct contact or by facilitating new contacts of interest.
• Allow and encourage the ability for users to initially contact other ones through the
online media, and eventually meet in the real world.
• Allow unlimited contact between users, so that the concept of space and time
becomes relative. Users are able to communicate with each other from anywhere at
any time, provided that both parties agree to interact.
• Promote the expansion of viral social networks, using this method as the principal
way to increase the number of users.
The following pages define each one of the previous groups according to their targeted
audience and the kind of contents they host.
2.2.1 Generalist and recreational social networks.

Such networks are characterized by their main objective that is the provision and the
reinforcement of personal relationships between their users. The growth of these networks
has been tremendous during the recent years. Some platforms such as Facebook have a
daily entry of more than 120 million active users who are also creating their own
contents 21 .
According to some data 22 such networks replaced other media such as instant messaging
that has been widely used during the recent years. This is largely due to the aspects that
characterize generalist social networks:
• They offer a variety of applications and / or functionality that enables the users to
spare themselves the trouble of using external communication tools by providing them
a platform that integrates all the necessary applications on a single screen.
• They offer and encourage people not to focus solely on how to operate online, but also
21
Data published in The Facebook Blog and in cnet news.
22
According to the latest study by the Pew Internet & Ameican Life Project called “Social Networking Websites
and Teens: An Overview” by Amanda Lenhart & Mary Madden,55% of underage users who are connected to
the Internet has created and frequently updated their user profile on at least one social network.
Instituto Nacional
de Tecnologías
de la Comunicación
to organize their daily lives through the platform 23 .
• They provide users the code used to program 24 the platform, so they can develop their
own applications, which are implemented within the social network, thereby increasing
the usefulness of the platform and thus its diffusion.
A sub-classification of generalist social networks can be made, depending on their

purpose or theme:
Platform to exchange content and information
Services such as Youtube, Dalealplay.com, Google Video, etc., are characterized by the
providing of free and simple tools to exchange and publish digital contents (videos,
photos, text, etc.)
Strictly speaking, they cannot be considered as genuine social network, as they only allow
the publication of contents that other users can view, limiting the interaction between
users to the inclusion of comments related to the contents and to their ratings.
However, although these platforms were originally independent from social networks,
these ones currently allow to link contents and to advertise directly from the user profile 25 .
Social Networks based on User’s Profiles.
Networks such as Facebook, Tuenti, Wamba, Orkut, etc., are the most representative
social networks used on the Internet 26 .
The possibility for third parties to develop applications on these platforms and the
easiness with which their users can interact with each other is making the use of
traditional communication tools less useful.
Such networks are often divided by topics, creating large communities of users with high
levels of expertise on specific issues. They are becoming great sources of information and
knowledge 27 .
23
A clear example of this is the social network www.salir.com where spanish users recommend places to visit
in a given town or organize events.
24
A clear example of this practice is the OpenSocial platform, owned by Google, whose potential is really
high. For more information please go to the following address http://code.google.com/apis/opensocial.
25
It should be noted that the vast majority of content exchange platforms like Youtube, or DevianArt Fotolog,
are made available to users shortcut icons to the main social networks.
26
So determined by the study recently published by the newspaper Le Monde,“Réseaux sociaux: des
audiences différentes selon les continents”. This report is clearly seen as the most visited social networks in
every continent are the profile-based social networks such as MySpace, Facebook, Tuenti, Friendster,
Netlog, Bebo.
Instituto Nacional
de Tecnologías
de la Comunicación
Microblogging or Nanoblogging.
Platforms such as Twitter or Yammer are services based on constantly updated users´
profiles through small text messages, not exceeding 160 characters. This allows to
provide the other users clear, concise, simple and fast information on the activities,
impressions, thoughts, publications being undertaken at that time.
The updates are both displayed on the users ´profiles and the sites of the persons that
want to follow them.
Strictly speaking, these networks can not be considered as social networks because they
do not involve an interaction between their users, limiting it to the sending of text
messages or, at the most, to the use of photographs with comments, taking advantage of
current mobile devices with cameras and Internet access.
2.2.2 Professional Social Networks.

Professional social networks are configured as new tools to help in establishing contacts
with other users. Websites like LinkedIn or Xing constitute the second largest block of
social networks.
These platforms are created and designed with the purpose of making contacts and
maintaining professional relationships. That is why the age is a determining factor while
using these networks. As shown in
27
Examples of such platforms are Devianart (virtual exhibitions of photography) or Myartinfo.com (visual
works) Moterus (bike routes in Spain and comparative bikes)
Instituto Nacional
de Tecnologías
de la Comunicación
Graph 3, children under 20 years are very few to use them. The number of affiliated users
increases with the age. It is the contrary with recreational networks. These ones are
divided between teen-oriented networks (Tuenti, Fotolog) and service-oriented network
(Facebook).
Instituto Nacional
de Tecnologías
de la Comunicación
Graph 3: Penetration of Online Social Networks by Age Group in Spain. July 2008
(%)
35% 33%
31%
30%
25%
21% 21% 21%
19% 18%
20% 17%16%
15% 13% 12%

11%
10% 7%
6%
4% 4% 3%
5% 2%
1% 2%
0%
0%
14-20 years old 21-30 years old 31-40 years old
MySpace Facebook Hi5 Tuenti Fotolog Xing/Neurona Linkedin
Source: INTECO based on Observatorio sobre la Evolución de las redes sociales (The cocktail analysis)
The main utilities for professional networks include:
• For the worker: the search for new employment opportunities or new business
contacts. Allow users to contact other professionals through common acquaintances,
helping to improve connections between people who in normal circumstances would
not access to the other.
• For the employer: their presence is more and more important because social networks
represent a new source for identifying potential participants. They also provide further
information on the participants thanks to the information published on their profiles.
Professional networks are booming 28 . They benefit the sector in many ways and are
especially attractive because they do not only serve as a complement to the staff selection
process but they also provide data of interest. They also allow:
• Personalized marketing actions.
• Creation of Premium services.
• Publication and promotion of contents.
28
During June and July 2007, Xing, a leading social network has acquired two of its main competitors:
eConozco and Neurona. Now Xing gahters more than 500.000 unique users.
Instituto Nacional
de Tecnologías
de la Comunicación
• Sale of “Trusted user" bonds: a certification issued by the social network itself to
ensure that the user is trusted and that his/her aims are not malicious 29 .
The use of premium services on these networks is particularly interesting because of the
high number of participants that are ready to pay a monthly fee in order to access more
advanced services 30 .
2.3 Value chain and business models
Another issue widely discussed and dealt with when it comes to social networks, in
addition to the need for protection of personal data and privacy,, is their economic viability,
ie whether they can become profitable business from an economic point of view.
2.3.1 Value chain of social networks.

As a preliminary step to analyze the business model of social networks, the different
elements of the value chain should be apprehended:
• Internet Service Providers (ISP). Those entities are responsible for providing
technologies (servers, connectivity, bandwidth, etc.) to social networks, ensuring that
users can access the platforms.
The selection of a suitable ISP can lead to the success or the failure of a social
network project since the technological requirements are very high in terms of
transfer of information.
After having selected the ISP, the model to host the information has to be chosen.
This hosting can be accomplished by the lease of a dedicated server (housing) 31 or
by hosting a website (hosting) 32 , depending on the traffic of the online platform and
its technological needs.
The ISP are the most important technical elements of the value chain of social
networks.
• Social networks and collaborating platforms. While developing the strategy to

create this kind of online platforms, it should be considered in advance the targeted
29
Netlog has launched a new way of monetizing social networks by issuing trust certificates for individuals
www.netlog.com
30
"More than one million paying users clearly show that professionals appreciate the value of xing.com as a
professional tool for everyday use and invest € 5.95 per month to access the advanced features of the
platform." "The subscriber loyalty is one of the greatest architects of the profitability of this business, over 75%
of users still pay for premium after 3 years of subscription." says Lars Hinrichs, Counselor CEO and founder of
XING AG.
31
Example of housing.
32
Example of hosting.
Instituto Nacional
de Tecnologías
de la Comunicación
public and the kind of tools that will be available. The development of the
applications and the advertising systems should also be examined.
• Marketing and online advertising corporations. They are the organizations

responsible for performing and managing advertising campaigns on the network.
They help to maximize their benefits on the long term.
They are one of the main elements taken into consideration while setting up the
economical profitability of the networks.
• Companies dedicated to the development of applications. Decide what kind of

applications (API) will be developed as well as the kind of user’s profiles that will be
offered.
• Users. They are the main elements to monetize the platform. The more stable and
recurring the users are, the higher the value of the platform will be. It is vital for all
the parties involved in this value chain to increase that number. The reputation of the
platform is crucial for the users (involved in the process of monetization) to continue
using and recommending it.
The relationship between the various members of the value chain is described in the
Graph 4.
The value of social networks lies in the number of subscribers, their loyalty, the level of
updates and the easiness to set up a system of economic exploitation.
The development of applications is taking an increasing place in the value chain as well
as the number of economical transactions it generates.
Finally, and although it is still difficult to talk about a clear model of exploitation, it seems
that the advertising and the “premium” services will be the first systems chosen for
maximizing profitability.
Instituto Nacional
de Tecnologías
de la Comunicación
Graph 4: Value chain of social networks
Source: INTECO
2.3.2 Business models.

Business models, actual and future, related to social networks will be analyzed in this
section. Their effectiveness will also be highlighted.
Current business model.
The current business model of social networks is divided into the following phases:
Phase I: Reaching a critical mass of users
Following traditional business models, social networks intent to multiply the number and
the loyalty of their users in order to secure their long-term sustainability and thus to
maximize their profitability.
Social networks are constantly looking for new users because these ones are exchanging
information, documents, videos, images and experiences that, with an appropriate
treatment, may offer the platform a way to manage a successful marketing campaign.
Instituto Nacional
de Tecnologías
de la Comunicación
The success of social networks, collaborative websites and platforms had reached
significant levels at the international level. Thus, although the sources are sometimes
contradictory 33 , they all agreed on the growth of these advanced services online.
Recent studies on the assessment and the analysis of Internet 34 traffic report that, within
the 500 most visited websites in the world, at least 5 social networks are present 35 among
the top twenty positions (Facebook, Myspace, Hi5, Orkut). The growth in the number of
visits to the main social networks between June 2006 and June 2007 has been significant
(Graph 5).
Graph 5: Evolution of the Traffic (million)
120 114.1
100
80
66.4
60 52.2
40
28.2
24.7 24.1
18.1 18.2
20 14.1 14.9 13.6 13.2
6.7
1.5
0
MySpace Facebook Hi5 Friendster Orkut Bebo Tagged
june 2006 june 2007
Source: INTECO based on Alexa Internet
North America and Latin America followed by Asia and Europe are the continents that are
using the most social networks. The kind of networks that is being used varies by region.
The Graph 6 shows that social network like Facebook and MySpace have received most
of their visits from North America and Europe, while the social network Orkut have mostly
received visitors from Latin America and Asia.
33
In this regard, it is important to note the absence of an organization that offers a comprehensive and
impartial information and statistical analysis of the key aspects of social networks. These data remain in the
hands of the social networks or the marketing and advertising consultants.
34
Alexa Internet Inc: Amazon Enterprise Group Company, one of the main reference for the assessment and
the analysis of Internet traffic.
35
More information on http://www.alexa.com/site/ds/top_sites?ts_mode=global&lang=none. These statistics
are important because the vast majority of advertising campaigns use these data to set their targets or find out
new niches of buyers.
Instituto Nacional
de Tecnologías
de la Comunicación
Graph 6: Geographical distribution of social networks in 2007 (%)
100
88.7
90
80
68.4
70 62.5
62.1
60
48.9
50 43.0
40
31.0 29.2
30 24.7 24.1 22.7 23.4
20.8 21.8
20 16.8 15.3 13.9 14.6
8.1 8.7 10.0
5.77.1 7.7
10 3.8 2.9 4.6
1.3 2.0 0.42.50.8 0.6 0.5 1.3
0
MySpace Facebook Hi5 Friendster Orkut Bebo Tagged
North America South America Europe Africa Asia
Source: INTECO based on Alexa Internet
It can be concluded that despite the global nature of social networks, a certain "localism"
has emerged considering the degree of popularity of social networks in different
geographical areas.
7 out of 10 Internet users are under 35 36 years old: 36.5% between 15 and 24 years old
and 32.5% between 25 and 34 years old. (Graph 7).
Moreover, according to the latest figures from the National Institute of Statistics 37 , one
third of underage people use social networks in Spain (29% are between 15 and 24 years)
National and international 38 studies consider this group to be the main user of social
networks.
36
The absence of data on the use of network by children under 15 years old, should not be understood as
non-use of such services by this population.
37
Survey: Equipment and Use of TIC (October 2008)..
38
For example, 35% in the UK according to Ofcom ( "Social Networking" in April 2008) or even 55% in the
U.S. according to the Pew Internet & American Life Project (Report “Social Networking Website and Teens:
An Overview”). The data released by INTECO report that 36.5% of Spanish social network users are young
people, between 15 and 24 years.
Instituto Nacional
de Tecnologías
de la Comunicación
Graph 7: Segmentation by age of social networks users in Spain (June 2008)
40%
36.5%
35% 32.5%
30%
25%
21.0%
20%
15%
10% 7.9%
5%
2.2%
0%
From 15 to 24 25-34 35-49 50-65 >65
Source: INTECO
Furthermore it appears that the use of social networks in Spain increases along with the
level of education (Graph 8).
Graph 8: Use of social networks in Spain by level of study (June 2008)
University's degree 28.7%
Medium level
19.4%
(Certificates of studies)
First - Second level of

16.1%
Schoolarship
Second - Third grade 14.1%
Primary studies 16.6%
0% 5% 10% 15% 20% 25% 30% 35%
Source: INTECO
Instituto Nacional
de Tecnologías
de la Comunicación
There are numerous national social networks such as Tuenti, whose success can be
compared to global social networks such as MySpace, Hi5 and Facebook. It is not the
case for other countries (Graph 9).
Graph 9: Penetration of different Social Networks in Spain (July 2008)
Myspace 19% 15% 66%
Hi5 13% 15% 72%
Facebook 13% 8% 79%
Tuenti 12% 4% 84%
Fotolog 11% 6% 83%
Xing/Neurona 4% 6% 90%
Linkedin 2% 1% 97%
Orkut 1% 2% 97%
Bebo 1% 99%
Twitter 1% 2% 97%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Account and regular use Account and no use Without account
Source: INTECO from the Observatorio sobre la Evolución de las redes sociales (The cocktail analysis)
Thus, although the phenomenon of social networking is quite new in Spain with respect to
other countries, a steady growth has been observed since 2007, to the extent that these
platforms now occupy the place of other traditional tools and media to disseminate
messages 39.
The media and users interest for this phenomenon has helped national networks such as
Wamba, Moterus or PatataBrava to grow significantly in Spain.
As a conclusion, we can say that during this first phase, the main effort being made by
social networks and websites is focused on collaborative actions to increase the number
of members as well as on the ways to ensure active and continuing participation so that
these are constantly updated.
39
An example of the influence that social networks have on society is the campain monitored by the Spanish
public Radio&Television and the Spanish YouTube. They create a microsite called “Elecciones ‘08”(Elections
2008). This site was addressed to the presidential candidates of the Government of Spain for the elections of
2008. Voters, via videos, asked them questions on the issues they were most concerned about. The purpose
of this whole campaign was to bring voters and candidates together in order to exchange contents, raise
questions and situations that, after being selected, the candidates, without being prepared, had to answer with
the utmost sincerity.
Instituto Nacional
de Tecnologías
de la Comunicación
Phase II: Monetization of online social network
When a social network has a sufficient number of users and updated profiles, the platform
reaches a second phase in which the exploitation and monetization can begin. Debates
are currently occurring among the industry about the most profitable operating models for
such networks.
The Graph 10 reflects the economical variables of the business model by which the
exploitation and monetization of social networks is being made:
• Advertising: It can be based on the behavior of the users within the platform (main
source of income)
• Premium: the platform has two kinds of contents. In order to obtain a more complete,
more advanced profile or to use more applications, the users must subscribe to
options that are subject to charges.
• Donations: the users, by themselves, make donations through instruments like

PayPal 40 for the maintenance of the platform.
• Payment for use: when the user wants to access certain tools, he will have to pay for
their use, through SMS messages or PayPal services.
40
PayPal is a company pertaining to the sector of the electronic commerce by Internet that allows the
transference of money between users who have e-mail, an alternative to the traditional method like checks or
money orders. PayPal also processes requests of payment in electronic commerce and other services Webs,
by which it invoices a percentage. Most of her customer comes from the site of auctions in line eBay.
Instituto Nacional
de Tecnologías
de la Comunicación
Graph 10: Monetization of social networks and Web 2.0 (Sept 2008)
Advertisement 86%
Annual or mensual
26%
subscriptions
Product sale 17%
Pay for users 12%
Donations 10%
Pay per use 7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Source: INTECO based on Multiplica.com
However, these ways to monetize social network are not sufficient to guarantee long-term
stability. For this reason, even if the value of Facebook is estimated to be around 15.000
billion dollars 41 , the investments of large corporations and venture capitals are the only
ones that can maintain the economic infrastructure of the social networks.
Business owners are looking for new ways to make social networks profitable, and to
maximize the return on investment for the development and the management of these
platforms.
Among the most significant change is the possibility for users to collaborate on the
development, the expansion and the improvement of the platform, thanks to the API
(application programming interface ") issued by the network in question.
This collaborative work both benefits the users and the platform 42 .
Among the most important benefits 43 :
41
It is undeniable that the true interests of large corporations and Internet devoted to communication, are for
social networking and collaborative platforms as shown in the titanic struggle being carried out by Facebook in
the years since 2006 and even attempt to buy Yahoo that, in 2008, Microsoft acquired a 1.6% of their
shareholding, to raise the value of Facebook to 15,000 million dollars.
42
For example, in the case of Second Life or World of Warcraft - online game, have come to auction through
eBay to purchase items or money belonging to the online world and have nothing to do with the real world.
Instituto Nacional
de Tecnologías
de la Comunicación
• No upfront costs of production.
• Setting up ad-hoc social network: it is the users who are making up the platform as
they like and who are developing useful applications for the development of their
digital identity.
• Full involvement of the users in their social network: the users identify themselves
with the platform they belong to. The platforms help them to build their personal
image.
• Ensures the interoperability between different platforms, allowing the users to update
only one of their profiles. The others update automatically.
In addition to the collaborative work of the users of the platforms, another variable that
characterizes the change in the current business model of social networks is the potential
of their applications. One example is "Gift" (gift) from Facebook, which allows users to
make gifts to other members for a monetary amount that is collected by the company that
owns the platform. This application generates 44 around $15 million a year according to the
independent consultant Lightspeed Venture Partners. The Graph 11 collects the daily
income of other applications.
43
This model was recently introduced by Google, through its OpenSocial platform, based primarily on the
availability of the entire community of Internet users of the open source platform through its API. In this model,
the community is fully developed the platform to model and its similarity, providing all the needs, as users,
considered essential for the proper functioning of the application. This strategic move, born from the alliance
43 43 43 43 43 43
between the world's leading social networks(Orkut , Bebo , Engage.com , Friendster , Hi5 , imeem ,
LinkedIn, Ning, Plaxo, Six Apart, Tianji, Viadeo y Xing), as a means to achieve the definition of common tools
to develop applications that serve all social networks, ie for the development of interoperable applications
between different platforms. This is a line parallel to that followed in the field of consumer software, where
increasingly, the collaboration of community development and open programming languages (Free Software),
have been established in the personal computers of users. With OpenSocial, is designed to help software
developers and social networking applications to transform their ideas into economic returns. Thus, in
November 2007 announced the launch of this platform is directed at first only to software developers (with the
intention of Google to become the standard for developers of applications for social networks). In the first
moments, and as was expected, following the launch of OpenSocial is the first discovered security flaws,
suffering his first cracking the November 5, 2007, causing serious damage to the social network owned by
Google, Orkut, single network that operated at that time OpenSocial. After the first initial errors, on the other
hand, logical and obvious, given the complexity of development, OpenSocial is currently described as an
alternative to Facebook.
44
More information about this company in http://lsvp.wordpress.com/about/.
Instituto Nacional
de Tecnologías
de la Comunicación
Graph 11: Earnings per day of the Facebook applications (in thousands dollars)
Mob Wars 22.5
Bumper Sticker 18.2
PackRat 13.3
Pieces of Flair 8.5
FunWall 8.4
0 5 10 15 20 25
Source: INTECO based on developerAnalitycs.com (August 2008)
Future business models and strategies of social networks
The future model of the business will be based on the collaboration between the platforms
and their users. They will provide new services able to produce economical benefits
related to the number of users who use them. The main challenge is for social networks to
get a revenue growth proportional to the number of their users.
In this sense, the main tendencies are enumerated next that have been considered during
the phase of investigation of the Study like valid alternatives for the construction of the
future model of business of the social networks and collaborative Web sites, considering
beforehand that, by analogy, will be to them of application the tendencies anticipated for
Web 2.0 45 like advanced and integrated services in this one.
Growth of online advertising and marketing The Graph 12 shows the market forecast for
the U.S. B2B 46 advertising in social networks, for 2008, which will be $ 40 million, rising to
$ 210 million in 2012.
45
The Web 2.0 and its models of business. Comparative study on the sources re-entry and the models of
business of 100 more important Webs 2.0 (multiplicax).
46
Abstraction of Business to Business that means between companies.
Instituto Nacional
de Tecnologías
de la Comunicación
Graph 12: Forecast sales of online B2B advertising, between 2007 and 2012 in
million U.S. dollars
250
210
200
165
150
125
100
80
50 40
15
0
2007 2008 2009 2010 2011 2012
Source: INTECO based on E-Market
Collaborative platforms and social networks will collaborate actively in the campaigns of
the agencies hosted in their interactive websites. Advertisements or banners will be
replaced by new advertising applications encouraging the users to interact with them more
actively and effectively. Their potential will be enhanced through:
• The analysis of users ´behaviors, identifying market sub-segments based on the

needs and preferences of the customers.
• The creation of internal markets in which online users can actively participate.
• The advertising and promotional exploitation of the profiles of users through

commercial agreements with foreign brands and companies.
Based on this business model, the possibility of monetizing a social network is determined
by the existence and the consolidation of the following aspects:
• The ability to analyze the needs and preferences of its users.
• The ability to offer new services.
• The ability to increase the number of loyal and active members involved in the social
network.
Instituto Nacional
de Tecnologías
de la Comunicación
Supply of new segmented applications run by social networks. Increase in the supply and
the development of new segmented applications and functionalities.
Increased level of users. Many websites (such as MySpace, Facebook, Xing or any other
detected social networks or collaborative platforms) are key elements of the "Culture 2.0."
They seek to attract the largest number of users possible in order to maximize the ratio of
monetization ( "a larger number of visitors = a higher value of the platform”).
Enhance and capitalize collective knowledge. Use collective knowledge to customize

contents and make them more appropriate for the users 47 .
Responding to the tastes, needs and preferences of the user, the social network will
address a series of personalized messages, known as contextualized messages,
depending on his kind of navigation.
Mobile technologies are emerging as a new channel to access social networks. The Web
2.0, and by analogy, social networks and platforms, bet on the success of mobile
technologies and the spread of wireless Internet connectivity to increase the number of
accesses and updates of user profiles.
Interoperability of social networks. Enhancing and developing tools that enable the users
to be free from local applications (installed on their computers) to communicate with their
contacts, by making these communications possible directly through the social network.
This kind of application will be designed and developed by the users of the network, using
programming languages that can be run on other platforms, in order to ensure that social
networks are interoperable with each other 48 ..
Geopositioning and multimedia devices. Furthermore, according to a recent study "Spain

2008", published by the Foundation Orange, the development of mobile connection
systems (3G and 4G), as well as the emergence of new mobile devices that integrates
multimedia utilities, will allow the users of social networks to access and update their
profiles from anywhere in the world with a simple Internet connection.
According to a recent study published by ABI Research (01/08/2008), mobile

technologies, social networks, and multimedia platforms, will benefit from a 3.3 trillion
dollars profit by 2013 49 ..
47
Example of this logic was applied by the Amazon website to recommend books to other users.
48
Example of this trend is the platform created by Google,Open Social.
49
Fore more information visit the website of ABI Research.
Instituto Nacional
de Tecnologías
de la Comunicación
IT security solutions. IT security solutions to protect the users of social networks are seen
as another source of potential business opportunities. New software have been developed
to ensure the security of social networks and to protect the privacy and personal data of
their users, particularly underage ones 50 .
Graph 13: Growth model of social Networks
Source: INTECO
50
More information: White paper on digital content in Spain 2008 . Red.es
Instituto Nacional
de Tecnologías
de la Comunicación
2.4 Risks implied by the use of social networks
Social networks offer multiple functionalities. Among them, the most used, as shown in the
Graph 14, are the sharing and the uploading of photos (used by 70.9% of users), followed
by the sending of private messages with 62.1%.
Graph 14: Uses of social networks by Spanish users (%). October 2008.
Share or upload photos 70.9
Send private messages 62.1
Comment on photos of friends 55.0
Update profile 52.1
Send public messages 50.2
Gossip 46.2
Tag friends in photos 34.8
Get information about their interests 25.0
Download applications 19.3
Download game/Find friends 9.5
Job search/recommend professionals 8.5
0 10 20 30 40 50 60 70 80
Source: INTECO from Zed Digital
However, despite the opportunities and benefits represented by these features, it should
be noted that such platforms are not free from risks, as explained below.
General social networks are exposed to a higher level of risk than professional social
networks, since their users do not only publish personal information (studies, professional
experiences), but also do so with their tastes, ideology or experiences, which means that
the number of personal data available to the public is more extended than in professional
social networks. The risk for data protection and privacy is very important.
Among the main situations of risk:
• The users of social networks are not aware that their personal data will be accessible
by anyone and might be exploited for commercial purposes. In many cases, they are
making public personal data that they will never have exposed in their daily life such
as ideology, religion and sexual orientation, etc.
• Personal data can be used illegally by ill-intentioned users.
Instituto Nacional
de Tecnologías
de la Comunicación
• The possibility to publish false or unauthorized information may generate new legal
issues 51 .
• While registering the users give full and unlimited rights on all published contents to
the hosting platform, so they can be economically exploited 52 .
Therefore, despite the fact that social networks have a multitude of benefits, their users
should not ignore the fact that they are public tools that offer access to everyone.
The majority of social network users are neglecting the privacy of their profiles. The recent
study "Social Networks: Quantitative and qualitative analysis on users habits, customs
and activities" published by Ofcom (Office of Communications) stated that almost half of
social networks users (43%) haven’t restricted the access to their profile (Graph 15).
Graph 15: Privacy settings (October-December 2007)
60%
48%
50%
43%
40%
30%
20%
10% 6%
3%
0%
The profile can only be The profile can be seen The profile cannot be The user doesn't know
seen by friends by anyone seen
Source: INTECO from Ofcom. Office of Communications
When it comes to underage users, the risks represented by ill-intentioned uses of their
profile are even higher.
Using social networks is becoming a common activity for young people and is taking part
in their social development. Social networks bring great benefits to children, offering them
51
More information about Phishing : http://www.legaltoday.com/index.php/actualidad/noticias/phishing-una-
alarma-constante.
52
One of the most important controversy occurred in 2006 with the band "Arctic Monkeys", which was on the
verge of losing the rights to their own songs, for having been hosted by a social network in its early stages.
Instituto Nacional
de Tecnologías
de la Comunicación
access to a new medium for communication and social interactions, allowing them to
maintain direct contact with their friends and acquaintances and to create a new form of
digital identity 53 . However, as underlined in the study "Social Networks: Quantitative and
qualitative analysis on user´s habits, customs and activities" published by Ofcom (Office of
Communications), underage users, despite having some notions on security, neglect
certain of its aspects and sometimes do not give enough importance to their personal
data.
Chapter 3 of the studies analyzes the specificities of the Spanish law regarding
particularly vulnerable groups.
The data presented in this study are sufficient to realize that the growth of social networks
in the past few years has been unstoppable. So far it has been positive, without large or
numerous cases meaning a danger for the users. However, the risks are evident and
increasingly frequent in this kind of platforms.
While the number of users of social networks increases, the examples in which their data
are used for illegitimate purposes, and users are victims of fraud or even kidnapping and
similar crimes are increasing.
Recently, the company ScanSafe, a web security consultancy, has published a study 54
revealing after analyzing more than five billion page requests in July 2006, that more than
600 websites considered as social network included some kind of malicious codes
(malware).
Most of the malware are spyware and adware (usually pop-up windows) that are being
attached to internal applications that are executed inside users´ browsers.
The identified spyware and adware aree attached to benign programs, but they seriously
affect the user, for example, redirecting his/her browser. Their elimination often represents
a difficult task.
Most of the social networks that contained this kind of “malware” were considered to be
general or recreational. Professional social networks haven’t suffered yet from the
presence of these “malware”.
53
According to Evolucy Technology Consulting SL (www.evolucy.com), a company specialized in usabilty, "by
definition, identity is one set of features characterizing an individual in front of the others. The verification of
these features is what enables us to determine if an individual is who he claims to be. Some of these features
are characteristic of the individual, others are acquired over time. Of course, not all features are equally
significant. There are features that are visible to the naked eye, while others are hidden and need a certain
knowledge and sometimes tools to verify them. The set of features that characterize an individual or a group in
a digital media is known as Digital Identity”.
54
More information in: http://www.scansafe.com/.
Instituto Nacional
de Tecnologías
de la Comunicación
From a practical point of view it seems logical that the main objectives of the cyber-
criminals are general or recreational social networks, as they have a higher number of
users than the professional networks 55 .
Potential risks associated with professional social networks are the ones associated
to the protection of personal data published by the users, which can encourage the
proliferation of so-called "contact collectors" or "social spammers”, dedicated to collect
contacts on social networks, for no other purpose than to appear socially successful. A
priori, his kind of behavior may not seem harmful. However it raised a serious problem for
one of the largest worldwide professional social network (LinkedIn). As a result, the owner
of the platform had to change the way for users to interact, obliging the ones that want to
contact others members to have previously recognized the existence of a relationship of
mutual trust 56 , which was not initially a requirement.
55
According to official information published by Facebook, the current number of users reaches 110 million,
while the professional social network Xing only reaches 500,000 users.
56
More information in: http://www.ejournal.unam.mx/rms/2005-1/RMS005000104.pdf
Instituto Nacional
de Tecnologías
de la Comunicación
3 ANALYSIS OF THE MOST IMPORTANT ASPECTS

AND SPECIFIC PROBLEMS OF SOCIAL NETWORKS
The current trend on the Internet is now to focus on the user- through forums, blogs, wikis
and social networks- in other words, all those utilities and services that are based on a
database that the users may change while processing the contents (adding, changing or
deleting information).
But the notoriety of these social spaces is not free from risks of potential ill-intentioned
attacks. The importance of the article 18.4 of the Spanish Constitution should be
underlined in this regard. It regulates the informatics uses that could have an influence on
the basic rights to the persons. A great effort has been made in this sense by both the
Spanish and the European legislations, with the approval of the Collective Agreement
108/1981 by the Council of Europe, with the rules drafted by the European Communities
in matters of data protection, information society or intellectual property, and with the
Spanish rules that develop and define a regulatory basis for the users´ protection on the
Web 2,0 and social networks.
This chapter will analyze the most relevant issues related to social networks and
collaborative websites, in order for their users to have enough information about their
rights and obligations.
The selected criteria for the analysis were the followings:
• The protection of right to honor, personal and family privacy and image.
• The secret of communications.
• The personal data protection.
• The protection of literary, artistic, scientific and technological creations by

intellectual property rights.
• The protection of consumers and users.
The analysis of these rights will follow the following structure:
• Definition of the right
• Legal frame: applicable regulation and evolution.
Instituto Nacional
de Tecnologías
de la Comunicación
o International regulation 57 .
o European regulation.
o National regulation.
• The possible risk the rights could be subject to.
• Most vulnerable groups: underage and legally incapacitated users.
• Others: Workers.
• Measures to safeguard these rights
3.1 Protection of the right to honor, personal and family privacy and image.
The article 18 of the Spanish Constitution protects the personal sphere of the
individuals, by guaranteeing their privacy and by giving them the right to exercise a control
over the treatment of their personal information. We can found in this article certain
classical rights to the persons, - rights to honor, personal and family privacy and image-
,some others referring to specific fields–inviolability of the domicile and secret of
communications-, and one right of the Third Generation defined by the Constitutional
Court as the fundamental right for data protection. The technologies of information do no
only affect the third right but also the two first categories.
The main rights established by the article 18 SC, are not absolute: they could be limited
by other relevant rights/assets when the conditions defined by the Constitution are
reunited. In case of conflict, the core values of the article will be respected and other
measures will be taken to adapt to the situation.
These rights have been developed in the civil and criminal field, through very diverse laws
-as the Organic Law 15/1999, of December 13th, on the Personal Data Protection-,
forming a complex normative structure. In this way, the labor is just to consider the
content and existent services in social networks to make the question of how these
regulations are projected over them and in the users’ activities.
3.1.1 Definition of the right

The definition of the asset protected in the article 18 SC results particularly complicated
because of their structural complexity and because of the influence of the uses made of
new technologies. In this sense and for purely pedagogic reasons, it must be told that the
57
Within the study of international legislation will also include U.S. regulations. In the largest social networks
most users are nationalized in the United States. Furthermore since the attacks of September 11, its
legislation is focusing on communication via the Internet and in the defense of children.
Instituto Nacional
de Tecnologías
de la Comunicación
article 18 SC intends to protect the private life, as well as the dignity and the freedom of
the human being 58 . These rights are categorized as rights to the person, and their
ownership, -with some exceptions-, can only be attributed to physical persons. They can
not be waived, nor transferred, nor subject to a period of limitations in order to be
exercised before a court, nor subject to seizure, and they are inalienable.
Private life is regulated by different rights. The Article 18.1 SC provides the rights to
honor, personal and family privacy and image. The Court has emphasized that, although
these rights have the same goal, they should be considered separately but should be
deeply intertwined 59 . The link between these rights, even the secrecy of communications
and the fundamental right to data protection, is the use of personal information. This fact
does not necessarily mean that they cannot be analyzed independently.
The right to honor protects the public image, name and reputation of a person –in a
public context-, to make other people respect completely the life of a person. This right
goes beyond the death of the person, and is granted by the law protecting the successors.
The right that protects the image of the individual gives to every person the ability to
exercise control over the recording, use and spreading of their image, because all these
actions are considered as graphic representations of the human voice and face. When the
Constitutional Court was dealing with the right that protects the image, it not only
considered its concrete aspects: the power to consent for the publication or spreading of
images that reproduce the human face, it went beyond, referring to the information that
those images or sounds reveal that have a direct relation with the intrusions of privacy.
The right to privacy was understood, initially, by the doctrine and jurisprudence, as a
well-ordered protection for the most internal and reserved spheres of people. Later
jurisprudence and social developments have considered the right to privacy to have a
broader content and a lot of manifestations. In this sense, the relationship between the
intimacy and the image, the conflicts that occur in case of exercising the right to
information and freedom of speech, the evidence in criminal matters, the protection of
58
“Along with the value of human life and substantially related to its moral dimension, our Constitution has
raised fundamental legal value to the dignity of the persons, without prejudice to the rights which are inherent
to, is intimately linked with the free development of personality (art. 10) and the rights to physical and moral
integrity (art. 15), freedom of ideas and beliefs (art. 16), honor, personal and family privacy and Image (art.
18.1). The meaning of these precepts can be deduced that dignity is a moral and spiritual values inherent to
the person which manifests in the self-conscious and responsible for his own life and that brings respect from
others. " (STC No. 53/1985 FJ 8).
59
“The right to image, in art. 18. 1 CE along with rights to privacy and family honor, help to preserve the
dignity of the person (art. 10. 1 CE), and safeguard” their own personal reserve, against encroachments of
others. Only acquires its full meaning when it comes under the protection of "an area reserved for itself and
against the action and knowledge of others”, along the lines needed in our culture, to maintain a minimum
quality of life" (STC 99/1994).
Instituto Nacional
de Tecnologías
de la Comunicación
health and genetic research, and the protection of the family dimension have extended the
scope of this right.
Finally, the Constitutional Court has given autonomy to the fundamental right to data
protection that is covered in a specific section of this study, configuring it as a right, but
with an instrumental relationship with the rights of the first paragraph of the Article 18 of
the SC, even though it has an own constitutional configuration and definition.
Finally, although this study does not go deep into this subject, it should be noted that the
protection of constitutional privacy is projected by two other rights.
First, we must have to refer to the domicile inviolability. According to the Constitutional
Court " this right does not only protect the physical space, which by itself is considered,
but this right also covers the emanations of the individual and private sphere of the
person. Interpreted, in this sense, the rule of inviolability of the domicile has an extensive
content and imposes a broad range of guarantees and powers, which include the power to
ban all kinds of invasions including those that may be made without penetration through
mechanical, electronic or other similar materials. The second rule establishes a condition
for the entrance and registration of it, which is that the owner have to consent or it has to
be ordered by a court decision" 60 . It should be noted therefore, that a physical penetration
into the domicile is not required and that this principle should be directly related to the
world of Internet because of the presence of thousands of webcams or video recordings in
the personal domiciles that could hurt this right.
The latest manifestation of privacy, based on constitutional protection, is the secrecy of

communications. It protects both, the fact of communicating and the contents of the
communications. Thus, "in a narrow sense, the law may be violated both by the
interception (which would support the physical apprehension of the message or by any
other form) as of for the simple unlawful knowledge of communications (for example, the
external opening of the correspondence stored by the recipient)” 61 .
The secret defined by the Article 18.3 SC has a “formal” “sense in what was previously
preached, whatever if their content is, or not, subject to personal, intimate or reserved
communication", and stipulates "the irrefutable presumption that what is communicated" is
60
STC 22/84. FJ 5. Any position that strongly reaffirms the legal basis of the fifth STC 50/1995 states:
"The residence, as it is defined by law (art. 40 CC), limit the space where the person live without necessarily
being subject to customs and social conventions, (STC 82/1984) and therefore, their protection is an
instrument for the defense of the private area. There is an indissoluble link of such sacredness of the
headquarters of the existential, which ban any intrusion, and in particular the entry and the privacy, which is
otherwise in the precept that the other (art. 18.1 and 2 EC).
As well, STC 133/1995.
61
STC 114/1984.
Instituto Nacional
de Tecnologías
de la Comunicación
“secret” "in a substantial sense." However, secrecy of communications is not projected

over the interlocutors over the ones who may be responsible of the obligation of not to
disclose anything, under the penalty of violating the privacy rights to any of them. Another
important detail of the doctrine of the Constitutional Court is the idea that when this topic
is touched, the privacy of communications will not prejudice the specific technological
medium used. The Supreme Court has completed this case in the jurisprudences SSTC
70/2002 and 123/2002. Both provide a technologically update which protects against
interferences in any kind of communication "regardless of the transmission technique
used and whathever is the content of the message" conversations, information, data,
images, votes, etc."
Therefore, secrecy in communications will be projected on all the services of social

networks that provide communications, such as those based on private messaging tools.
Giving an efficient protection of these rights in the field of social networks, and generally in
the Information Society, entails the need to reinterpret, adapt and strengthen the concept
of protection, because social networks encourage users to publish personal information
and in many cases, information that corresponds to intimate areas as: personal ideology,
sexual orientation, religious beliefs, etc.
3.1.2 Applicable Law

Following hereafter is the normative analysis and thelegislative developments of the right
to honor, personal and family privacy and image, with special emphasis on the protection
of this right on the Internet and the services associated with it.
To provide a complete overview of this situation, these rights are going to be analyzed in
an international, European and national view.
International regulations
The protection of these rights is not restricted for certain states, but is recognized by the
main part of the international community, and are specifically protected by national
constitutions and laws of many countries.
The Declaration of Human Rights of 1948 establishes the first source of norms
regarding these rights, stating that: "No one shall be subjected to arbitrary interferences in
his privacy, family, domicile or correspondence, nor attacks on his honor and reputation.
Everyone is entitled to the protection of the law against such interference or attacks."
Similarly, but specifically for minors, the International Covenant of Civil and Political
Rights of 1966 and the International Covenant of Economic, Social and Cultural
Instituto Nacional
de Tecnologías
de la Comunicación
Rights of 1966 give the right to all children to have a greater degree of protection,
because of their particular characteristics.
This normative protection for minors is expressly stated in the document adopted by the
Convention of the Children Rights of 1989, which states: "no child shall be subjected
to an arbitrary or unlawful interference in his privacy, family, home or correspondence, nor
to unlawful attacks on his honor and reputation. The child is entitled to the protection of
the law against such interference."
European Regulation
First, it must referred to the Rome Convention of 1950 (ECHR) 62 that can be cited as the
first European text that enshrines the protection of privacy and also, the Common
Agreement 108 of the Council of Europe that defines the legal context of privacy
protection, in relation to information and communications technologies. The International
Convention of 1950 has also been particularly effective in the field of human rights
protection in those States who have agreed to be bounded by its terms.
The importance of the Convention, for national legal systems, derives from its dual nature
as a rule incorporated into the Spanish law by the Article 96 of the Spanish Constitution
and as a criterion for the interpretation of fundamental rights with the provisions of the
Article 10.2 of the Constitution. This dual nature has effects on the judgments issued by
the European Court of Human Rights that implements the Convention. It produces legal
effects in domestic laws and has been inspiring the work of the Constitutional Court in the
interpretation of fundamental rights.
At the EU level, the provisions of the Charter of Fundamental Rights to the European
Union (2000 / C 364/01) 63 stipulates that "Everyone has the right to the respect of their
private and family life, home and communications”.
Similarly, in the European Charter on the Rights for the Child (A3-0172/92 European
Parliament resolution of 8 July 1992) has stated that "Every child has the right to be
free from unwarranted intrusions by third parties in his private life, family, and not to suffer
62
The Rome Convention of 1950 regulates the right to privacy in Article 8 as follows:
Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right, but as long as this
interference is provided for by law and is necessary in a democratic society, is necessary for national security,
public security, economic welfare of the country, the defense of order and crime prevention, protection of
health or morals or the protection of the rights and freedoms of others.
Rome Convention of 4 November 1950 for the Protection of Human Rights and Fundamental Freedoms.
Instrument of Ratification of 26 September 1979.
63
Published in Diario Oficial de las Comunidades Europeas on december 18th of 2000.
Instituto Nacional
de Tecnologías
de la Comunicación
unlawful attacks that affects his honor, recognizing the right and also protecting their
image”.
It should be noted that EU rules do not usually relate to privacy or the right to privacy, but
many other rules use the term “privacy” when dealing with personal data (see section
3.2.1).
United States of America
In the U.S. the protection of privacy in the legislation is a complex interpretation of the
Supreme Court’s work that, after nearly half a century, has reached to the constitutional
recognition of the right to privacy. And it was by deducting it from “the shadows and dark
shadows" of various amendments of the Constitution. The U.S. Constitution does not
expressly recognize the right to privacy. This one was built by the Supreme Court from
rights explicitly recognized in the Constitution, and by their combination with what was
deduced from the "dark shadows" of the constitutional percepts.
Specifically, the Supreme Court has come to the fact that the U.S. Constitution does not
contain a closed list of rights but, the Ninth Amendment stands with an open clause for the
incorporation of new rights and states that "the Constitution lists certain rights”,“which
does not means that this deny or disparage other rights granted to the people". Moreover,
the Fourteenth Amendment has provided the Court a procedural argument to consider
cases related to privacy, which gives citizens the right not to be deprived of life, liberty or
their properties without due process of law”. Thus, the Due Process Clause acts as a
clause guaranteeing the freedom of citizens against the powers of the State. These two
specific clauses related to specific rights –the freedom of speech and people's
participation in the First Amendment, that limits the military use of private houses during
peacetime, and in the Third and Fourth Amendment, the protection of the domicile- have
been used to infer privacy as a Constitutional right.
It should be noted that is not easy to analyze in a legal mode the regulation of privacy in
the U.S., because of the U.S. have a federal State 64 .
64
They can be mentioned, in a nonexhaustive list, among others: Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681
(1970). Privacy Act, 5 U.S.C. § 552 (1974). The Freedom of Information Act (FOIA), 5 U.S.C. § 552 (1974). Family
Educational Rights and Privacy Act, 20 U.S.C. § 1232g et seq. (1974). Right to Financial Privacy Act, 12 U.S.C. § 3401 et
seq. (1978). Privacy Protection Act, 42 U.S.C. § 2000aa et seq. (1980). Cable Communications Policy Act 47 U.S.C. § 551
et seq. (1980). Electronic Communications Privacy Act (ECPA), 18 USC §§ 2701-11 (1986). Video Privacy Protection Act,
18 U.S.C. § 2710 (1988). Employee Polygraph Protection Act, 29 U.S.C. § 2001 et seq. (1988). Telephone Consumer
Protection Act, 47 U.S.C. § 227 (1991). Driver's Privacy Protection Act, 18 U.S.C. §§ 2721-2725 (1994).
Telecommunications Act, 47 U.S.C. §222 (1996). Electronic Freedom of Information Act Amendments of 1996, Public Law
No. 104-231, 110 Stat. 3048 (1996). Financial Modernization Services Act ,Public Law 106-102, Gramm-Leach-Billey Act of
1999. Department of Transportation and Related Agencies Appropriations Act of 2000 § 350, Pub. L. No. 106-69; 113 Stat.
986 (1999). Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act (USAPA), H.R. 3162, (2001) o USA Patriot Act. Pen/trap Statute 18 USC §§ 3121- 27 (2002). Wiretap
Statute, 18 USC §§ 2510-22, (2002).
Instituto Nacional
de Tecnologías
de la Comunicación
Similar regulations are responsible for ensuring the protection of privacy of users in
specific situations. In this regard are included 2 main rules:
• Telecommunications Act 1996 (adopted on June 13, 1996). This rule explicitly
governs all aspects of the Internet dealing with violent content and/or pornography that
may damage ethics and morals of the people, establishing the protection for the ISP
(Internet Service Providers), regarding the contents published by third parties.
• Children's Online Privacy Protection Act 1998, which contains the specific
regulations regarding acts designed to obtain information or deceive children when
they are navigating on the web.
In terms of privacy, it is necessary to consider the "USA Patriot Act” (UPA) adopted on
October 24, 2001. This rule is a clear limitation of the right to personal and family privacy
and the confidentiality of communication, for any person in the United States, since the
Federal Government has the full power to tap any kind of communication, internal or
external, e-mail, telephone conversations, either text or voice messages, web browsing
history, as well as consultations on Internet search engines. This intends to increase the
security of the State against the organized crime and terrorism.
Spanish Laws
A national policy of recognition of the right to honor, personal and family privacy and
image is enshrined in the Article 18.1 SC.
Subsequently, by the Act 1/1982 of May 5, Protection of the Civil Right to honor,
personal and family privacy and image, the Spanish legislation develops this
fundamental right, with a specific protection in civil matters.
The Criminal Law provides specific regulation in crimes that involves the violation of the
rights to honor, privacy and image, regardless of the means by which they are committed.
Under the point of view of the secrecy of communications and the fundamental right to
data protection, this rule is combined with the publication of the Law 25/2007,
Conservation of Information related to electronic communications and public
communications networks that states the obligation for the operators to provide
electronic communications services available to the public or for those who operates
public communications networks, to retain traffic data generated by users via their phones
or devices connected to the Internet, as well as the duty to transfer such data to agents
empowered through a required judicial authorization, for purposes of detection,
investigation and prosecution of serious crimes under the Criminal Law or specific related
laws.
Instituto Nacional
de Tecnologías
de la Comunicación
3.1.3 Possible risks. How could the right to honor, privacy and image be affected
in a Social Network?
As noted in the beginning of this chapter, social networks and collaborative websites, are
not free from danger of malicious attacks. Some situations may arise that threaten the
integrity of the rights to honor, personal and family privacy and image of their users.
Thanks to the previous analysis and the interviews conducted in the sector, we are going
to show situations that can damage the integrity of the users’ rights. This analysis starts at
the moment the user is logged in the social network, and ends at the time the service is
cancelled.
Thus, the first critical point is the user registration and profile settings process, since
this is the phase in which the user must assess what is going to be published on his/her
profile and the level of publicity that this information is going to have. This point is very
important and must be taken care of by the users; it will be essential for the subsequent
protection of their privacy and the one of all the members of their network.
In this initial stage, the right to personal and family is only affected when personal data are
provided. It is affected if the service offers to the users the ability to make decisions about
their environment, (for example, if the profile could be configured as a public or as a
restricted space), then by how the user uses his/her profile, it could affect the honor on
his/her personal images or the one of persons to whom he/she refers to.
Thus, a possible risk that may arise is that the user does not properly set the profile
privacy level at the time of the registration, either through ignorance or because the social
network does not have these settings.
A proper configuration of the profile privacy is essential; since often what is enabled by
default on the platform allows the maximum degree of visibility. Therefore, an incorrect
configuration or setup can affect not only to the contents that had been published by the
user, but also to all other users who have published or shared information, since it will be
accessible for the other members of the platform.
The routine of the users in the platform is the second moment when the right to privacy
and image may be violated, depending on the kind of activities that the users perform.
They could undermine the protection of these rights by the publication of intimate
information in the platform. Any user could control the content that he/she wants to be
published, but the implications of this action are not correctly appreciated. Furthermore,
the control of the information in a social network is limited because any person on it could
publish pictures, videos, reviews, images or labels with the name of other users.
Instituto Nacional
de Tecnologías
de la Comunicación
Furthermore, it should be noted that the amount of information, data and images that can
be published could be excessive and impact on the personal and third parties ´privacy.
• Personal privacy: even if the users are those who voluntarily publish their data,
these platforms possess powerful tools for exchanging information, processing
capacity and analysis of information provided.
• Third parties´ privacy: it is essential that users keep in mind that the upload of
information and data of third parties could not be done, unless they have expressly
authorized agree to it so the third parties could request immediately its removal.
It is important to note that in most cases, social networks allow to search engines to index
the user profiles, along with the contact information and profiles of related friends, which
could be another risk for the protection of privacy. It may also hinder the removal of their
information on the Internet.
Another risk that may occur while surfing on the social network, is the one related to the
ability of these platforms to locate the user through the IP address and get to know the
connecting device in order to contextualize the content and advertising displayed on it.
This fact can be considered as an intrusion to the routines of the user that can seriously
impair the right to privacy.
Finally, when the user requests to unsubscribe from the service, the right to privacy
and image may also be affected. This happens because, in spite of the cancellation of the
account, private information of the user could sometimes continue being accessible from
profiles of other users and indexed and cached from different search engines available on
the Internet.
3.1.4 Vulnerable Groups. Underage and legally incapacitated users.

This section gives specific attention to three groups that, by their nature, may be affected
in a greater extent than other users; underage users, legally incapacitated users and
workers, whose presence and participation in such platforms is common.
Underage and legally incapacitated persons
From a legal point of view, in matters related to the protection of honor, privacy and
image, we have to take into account the specific regulation that already exists.
The Organic Law 1 / 1982 on the Civil Protection of the Right to honor, personal and
family privacy and image, specifically regulates the manner in which the consent should
be given by underage and legally incapacitated persons, in order to make an adequate
protection of their rights to honor, privacy and image. In this regard, it provides that: "The
Instituto Nacional
de Tecnologías
de la Comunicación
consent of underage and legally incapacitated persons should be provided by them if their
conditions is considered as mature by the civil law."
Moreover, the law establishes two principles that contrast with the reality of the Internet.
The Article 1 stipulates that: "the civil protection to honor, privacy and image is defined by
laws and social practices according to the acts made by a person”. Moreover, referring to
the underage persons the Section. 3, establishes a criteria, of the possibility that a mature
underage person can consent in matters which affects his honor, privacy or image, and, in
cases where children does not have the sufficient capacity to consent, the rule says that
"the consent will need to be given by a written text of the legal representative, who will be
required to inform to the Public Prosecutor about this consent. If in eight days the Public
Prosecutor has objected the given consent, the judge will decide."
An additional criteria is what the Article 4 of the Organic Law 1/1996 of January 15, of
Protection of Underage persons, that partially amends the Civil Code and the Code of
Civil Procedures, which, in addition of recognizing the child's rights in Article 18 SC
provides the intervention of the State Prosecutors in cases of spreading of information or
use of images or names of the underage persons, in media that may involve an unlawful
intrusion to their privacy, honor or reputation, or that may be contrary to their interests.
Also, the provision orders to parents and/or guardians and to the authorities to respect
these rights and protect them against possible attacks by third parties.
It is clearly evident, that the reality of social networks is beyond the actual regulations, so
it required a systematic and proper interpretation of every law and regulation. Children
under 14 years old are capable to understand the use of technology, capturing and
reproducing information which affects their honor, privacy, image, their interests or
others´. Photographs of children proliferate on the Internet on their own profile spaces,
and even on pages linked to their families and/or to school activities.
It can be noted that the specific risks for children in this area are directly related to:
• Access to inappropriate content.
• The possibility to have an online contact, and even in person, with malicious users.
• The proliferation of children images and personal information published by

themselves or by third parties with ignorance of the risks associated with.
Social networks and websites, have main difficulties in achieving effective protection of
users because their actual systems are unable to control publications made by their
underage users, and by do not having tools that fully ensure the identity of their users.
Instituto Nacional
de Tecnologías
de la Comunicación
Therefore, as the measures to control the content and access to inappropriate material,
are not properly developed and implemented, the risk of violating the rights of the minors
will persist.
To this factor it should be added that, (as we have emphasized) the Organic Law 1/1982,
at the time that it was created, the usage of information and the image of the children, as
the intervention of the Prosecutor, nowadays is certainly feasible thanks to technology.
The ENISA paper 'Children in a virtual world: What parents should know about” 65 ,
published in September 2008 provides a series of recommendations to parents,
highlighting, among other recommendations, the need to train and educate both (parents
and children) alike.
Other cases: workers
From a legal point of view, the privacy of workers have an additional protection that the
Royal Decree 1/1995 of March 24, complements by approving the text of the Workers'
Statute (WS), that repeatedly states the right to workers to be respected by the employer.
That rule provides that “records to workers could only be made in their lockers and just if
these measures are necessary for the protection of the business and other employees’
assets. During the implementation of these measures, the dignity and privacy of the
employee will have to be respected and will be made assisted by the legal representative
of the workers or, in his absence it will be made by, another worker of the company, when
it could be possible."
However, this is certainly not a criteria applied for Internet and that is something that the
Supreme Court indicated when it established that the employer can control and even limit
the access of the mentioned recordings, in virtue of the power given by the Article 20.3 of
the Workers' Status if certain conditions are reunited 66 .
65
http://www.enisa.europa.eu/doc/pdf/deliverables/children_on_virtual_worlds.pdf
66
UNIFICATION THEORY Appeal 966/2006, Case 26/09/2007 Supreme Court said: "The control of the
computer use provided by the employer to the employee is not regulated by Article 18 of the Workers, but by
Article 20.3 of the Workers' and this provision must be with the qualifications set out below have been made.
The first concerns the limits of that control in this area and the provision cited refers to an exercise of the
powers of surveillance and control to save on their adoption and implementation, due consideration "to the
dignity of the worker, which also refers respect for privacy in terms to which reference has already been made
in reviewing the judgments of the Constitutional Court 98 and 186/2000. (...) You have to do business in
accordance with the requirements of good faith is to establish in advance the rules for using these media, with
application of absolute or partial bans, and inform the workers that there is control and the Means to be
applied in order to verify the correctness of the applications, as well as measures to be taken where
appropriate to ensure the effective use of work environment where necessary, notwithstanding the possible
application of other measures preventive, as the exclusion of certain routes.
Instituto Nacional
de Tecnologías
de la Comunicación
Moreover, considering the potential that Internet has, it is proven that in work selection
procedures are performed, not only the use of the information provided by the candidate
in the job interview, but also of the information that appears on social networks and other
online services. It should not be underestimated that it is used the sort of results that
search engines provide.
Undoubtedly, this situation may pose a risk to the privacy of workers, so it again becomes
necessary for workers to restrict their profiles, and the access to their personal and private
information.
3.1.5 Measures to protect the right to honor, privacy and image

Social networks and platforms are very kind to protect this right. They implement the
following measures:
• Studies. In case users detect an action that affects their rights in the platforms.
o Reports inside the social network: The main social networks and websites
have this kind of measures that allows any user to notify the webmaster of
the publication of a photograph that is inappropriate or that is used without
permission, as well as to request the removal of any comment, video or
image that goes against the right to privacy, honor and/or image.
This report generates a cancellation of the content and notify to the reported
user of its fault. Usually, in case that the reported user continues doing the
same forbidden action, the Webmaster would cancel his/her account.
o Express authorization by the user: It is related with the above-mentioned

measure. It is required that the user must authorize the tags, comments or
images, having the possibility to report the content to the Webmaster.
However, this system is established by an “opt out”, (the user could ban and
delete the content that was reported). The users who are not registered
users and that are tagged could be more affected, because in some social
networks it is possible to tag a user by just inserting the e-mail address.
It should be know, however, that the law should be applied in a systematic and integrated
way. In this sense, social networks and Web 2.0 services, such as blogs, offer the user a
space to exercise their fundamental rights as the right to information and freedom of
speech.
The second nuance or precision the scope of protection of privacy, which is consistent with the lawful control
to which reference has been made. It is clear that the telephone and email are included in this area with the
additional protection that derives from the constitutional guarantee of secrecy of communications.”
Instituto Nacional
de Tecnologías
de la Comunicación
Any citizen may exercise the right to information. To be a legitimate need, this right needs
to be of public interest and to be based on true facts.
The removal of content may affect the rights of the author. The authors could be injured if
the content is removed automatically and as a preventive measure. Therefore, it is
necessary to define these procedures as contradictory proceedings in cases where the
violations of the rights are not obvious or when they may interfere with a legitimate
exercise of other rights.
• Human and technological methods of protection:
o Reporting procedures: Several social networks have tested systems to

inform users about content that may affect them. Such warnings are
displayed when users upload multimedia content, such as photos and/or
videos.
o Voluntary monitoring of the contents: Several social networks have

volunteers to monitor the appropriateness of the contents. These groups
monitor the contents posted by users, even those that are not directly in the
platform but linked to it.
o Software Applications for age identification: Some social networks have

implemented, in order to protect minors, programs that detect the
approximate age of the user. This technique is based on testing the
expressions used by users in their messages (language, expressions, style
of writing, etc…). The aim of this measure focuses on:
Detecting the presence and participation of children in social

networks that are intended for adults.
Users to identify adults who are trying to contact users younger

than their age.
However, as it was noted above, these measures do not reach the desired degree of
effectiveness.
• Training and awareness of users
o Information about the duties of the users: Social networks often come with
lengthy contracts of adhesion, where the obligations of the users are diluted
in a mix of contractual clauses. Specific information strategies should be
adopted to compel a reading of the obligations of users.
Instituto Nacional
de Tecnologías
de la Comunicación
o Development and publication of codes of ethics: The existence of rules of

ethical behavior is not new in the Internet world. The ISP should define a
reasonable standard of conduct in their environments, beyond the application
of the rules. Encouraging self-regulation codes for social network may
contribute significantly to the training and awareness of the users.
3.2 Personal Data Protection
The functioning of social networks and collaborative websites is mainly based, as it was
already mentioned, in the publication by users of their personal information and data,
which implies different legal effects.

The Spanish legislation, as the Portuguese Constitution, laid out in its Article 18.4 SC the
foundations of a new fundamental right. This right was defined as "Habeas Data",
although it is a much less accurate and appropriate description than when one refers to
refer to the right to data protection. This right has been configured by the jurisprudence
through series of sentences that start with STC 254/1993 and ends with STC 292/2000.
They state that:
"The protection of the privacy of the person and his/her reputation has a positive
dimension that goes beyond the scope of the basic right to privacy (art. 18.1 SC), and that
is developed by the right of control over their personal data”. The so-called "free IT" is
entitled to control the use of the same data embedded in a computer program (habeas
data) and includes citizens' opposition to certain use of their personal data for any
legitimate purposes other than those that justified its acquisition (SSTC 11/1998, FJ 5,
94/1998, FJ 4).
This fundamental right to data protection, versus the right to privacy of the Article 18.1
SC, shares the goal of providing an effective constitutional protection of personal and
family privacy, gives to the person a bundle of powers to impose against others acts or
behaviors that should be regulated by law, one that according to art. 18.4 SC limits the
use of computers, protecting the persons´ right to data protection (art. 81.1 CE), and/or
regulating its exercise (art. 53.1 SC). The peculiarity of this fundamental right to data
protection, in respect to privacy’s right is therefore, to differ on its functions, content and
object of protection.
According to the Constitutional Court on the subject of the right to privacy is:
"Any kind of personal information, whether or not an intimate knowledge of which is known
by third parties may affect their rights the art. 18.1 SC grants its protection. Therefore, it
reaches a public that personal data, which can be accessible to anyone guaranteed too
Instituto Nacional
de Tecnologías
de la Comunicación
the right to privacy over it. Also for this all data is under protection because with them
anyone can identify or allow the identification of a person may serve to identify its
ideological, racial, sexual, economic or other aspects, or used for any other purpose that
in certain circumstances constitute a threat to the person."
For regulatory purposes, it is understood that a personal data is "any information related
to identify someone". Among the personal data in the context of social networks could
identify the people, an could be the IP address, as defined by the Spanish Agency for
Data Protection 67 and its Working Group in Article 29 in its "Opinion on the concept of
personal data." 68
The large amount of personal data that users gives on their profiles, becomes true "digital
identities" that facilitate a quick understanding of contact details, preferences and habits of
the user. It should be considered in addition that data such as IP addresses, is used to
segment the advertising that is targeted to different types of users as well as increasing
the degree of contact between users.
In this way, and considering the basic principles laid down in existing legislation, the
protection of personal data should be particularly attended by any project related to the
world of social networking and collaborative Websites where the operation and treatment
of Personal information is the key element to its operation.
3.2.2 Applicable law: regulation and its evolution

The legal framework on data protection addresses the need to safeguard and protect civil
liberties and fundamental rights to persons, and especially its honor, privacy and personal
and family privacy, avoiding that the data are used improperly or fraudulently, or are
treated or transferred to third parties without the owner’s consent.
International regulations
67
Spanish Data Protection Agency, Report 327/2003.
https://www.agpd.es/portalweb/canaldocumentacion/informes_juridicos/otras_cuestiones/common/pdfs/2003-
0327_Car-aa-cter-de-dato-personal-de-la-direcci-oo-n-IP.pdf
68
Opinion on the concept of personal data. The Work group considers directions IP like data on an
identifiable person. In that sense it has declared that “the suppliers of access to Internet and the local network
administrators can identify by reasonable means the users of Internet to which they have assigned directions
IP, because they systematically register in a file the date, the hour, the duration and dynamic direction IP
assigned to the user of Internet. The same can be said of the suppliers of services of Internet that maintain a
file registry in servant HTTP. In these cases, doubt that does not fit it is possible to be spoken of personal
character data in the sense of the letter a) of article 2 of the Directive.
(http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_es.pdf)
Instituto Nacional
de Tecnologías
de la Comunicación
Currently there are laws to protect the personal data in at least 46 states. This, coupled
with the fact that most standards are published and provide a new and specific issues
arising from the Information Society, make the protection of personal data one of the
biggest and best treated matter from the point of legislative.
All this implies the creation of various guidelines made by the OECD 69 and the UNO 70 or
the Privacy Frame of the APEC, 71 make that the basic principles and governing rules
similar and approximate in each State.
European regulations
Just as happened with the development of the right to privacy, the Council of
Europe 108th Convention 72 defines the context of privacy protection in relation to
information technology and communications. Moreover, the judgments issued by the
European Court of Human Rights produce legal domestic effects and inspire the work of
the Constitutional Court in the interpretation of fundamental rights.
The 108th Convention arose from the need to further protect the rights to individuals in
connection with the use of computers, particularly in regard to privacy, protected by Article
8.1 of the European Convention on Human Rights. Furthermore, it should make this
compatible with the legal protection of freedom to transmit information, and, finally, it was
considered necessary to establish a common name between the State laws and over the
would-be signatories to facilitate the international flow of data.
The Convention was preceded by two resolutions of the Ministry’s Committee, the R (73)
22 73 and the R (74) 29, 74 concerning about data protection in the private and public
sectors respectively, to bring forward some basic principles that later inspire the drafting of
the Convention of 1981. Pursuant to this Convention, it should be noted that it has three
different parts for his Explanatory provisions of substantive law in the structure of basic
principles, the special rules related to international flow of data and mechanisms for
69
OECD guidelines on privacy protection and transborder flows of personal data of September 23, 1980.
http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html
70
Guidelines for the regulation of computerized personal data files adopted by resolution 45/95 of the General
Assembly on December 14, 1990.
71
Asia-Pacific Economic Cooperation Privacy Framework
http://www.apec.org/apec/news___media/fact_sheets/apec_privacy_framework.MedialibDownload.v1.html?url
=/etc/medialib/apec_media_library/downloads/taskforce/ecsg/pubs/2005.Par.0001.File.v1.1
72
Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic
Processing of Personal Data, ratified on 27 January 1984 (BOE of 15 November 1985).
73
Resolution (73) 22 concerning the privacy of individuals with regard to electronic data banks in the private
sector, as agreed by the Committee of Ministers on September 26, 1973.
74
Resolution (74) 29 concerning the privacy of individuals with regard to electronic data banks in the public
sector, adopted by the Committee of Ministers on September 20, 1974.
Instituto Nacional
de Tecnologías
de la Comunicación
mutual assistance and consultation of the Parties. The Convention has been
supplemented by a set of recommendations to guide national policy decisions in specific
sectors:
The Convention also defines the basic concept of personal data, file system, automated
processing or authority "file controller”, which today is defined as responsible.
The Convention also establishes basic principles for data protection, such as the quality or
security, the rights to access, rectification and cancellation, the protection of data
revealing racial origin, political opinions, religious beliefs or other beliefs, as well as
personal data concerning health or sex life, or of safeguarding procedures.
Moreover the European Court of Human Rights has extended the application of Article 8
ECHR with a very broad conception of personal and family privacy that is the recognition
of the right to data protection under the 108th Convention.
Within the European Union Article 8 of the European Charter of Fundamental Rights
specifically recognizes the right to data protection as an independent right to privacy,
which includes both the right to consent, the duty to process data fairly and fulfill the rights
to those persons affected and entrusted their care to independent authorities. This
principle is also enshrined in Article 286 of the Treaty establishing the European
Community.
The European Union issued in 1995 by the Directive 95/46/EC of the European
Parliament and the Council of 24 October 1995 on the protection of persons with
regard to process their personal data and on transmission of such data, 75 so that the
Member States harmonize and adapt their domestic legislation on protection of personal
data.
This text provides a regulatory framework aimed at establishing a balance between a high
level of protection of privacy of individuals and the free flow of personal data within the
European Union (EU).
Key aspects of EU rules on data protection are:
• Establishing the principle of data quality, so that personal data must be adequate,
relevant and not excessive, according to the purpose for which will be processed.
• That is as basic and essential for the processing of personal data, the existence of
prior consent of the data.
75
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:ES:HTML
Instituto Nacional
de Tecnologías
de la Comunicación
• It requires States to establish an obligation to reconcile the right to privacy in the

processing of personal data with the right to freedom of expression.
• Establishing basic principles of citizens' rights to access, rectification, cancellation

and opposition (ARCO) in relation to their personal data.
• Is incorporated as a basic principle of ensuring confidentiality and the obligation to

implement appropriate security measures to ensure that access to information is
limited and controlled.
• Set forth the basic principles for the establishment of National Authorities of Data
Protection.
• Laying down the foundations of international transfers of personal data.
• It promotes the development of sector codes of conduct intended to contribute to

the proper application of national provisions on the protection of personal data.
• Establishing a Working Group on Article 29 reference institution in this area 76 .
It should be stressed further the important work done by the Court of Justice of the
judgments which have clarified various aspects in this area 77 .
76
Established under Article 29 of Directive 95/46/EC and comprising representatives of the Data Protection
Authorities of Member States. It is the independent advisory body of the EU on data protection and privacy. Its
tasks are laid down in Article 30 of Directive 95/46/EC and Article 14 of Directive 97/66/EC.
Researches, analyzes and combines the community-level initiatives in the protection of personal data. Its
activity has been linked in recent times to the analysis of the services of the Information Society and the
problems of data protection and security.
The set of directives issued in this area is particularly extensive:
• Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the Protection of
Individuals with regard to the processing of personal data and the free movement of such data.
• Directive 97/66/EC of the European Parliament and the Council of 15 December 1997 concerning the
processing of personal data and privacy in the telecommunications sector.
• Directive 2000/31/EC of June 8, on certain legal aspects of the information society, in particular electronic
commerce in the Internal Market.
• Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing
of personal data and privacy in the communications sector.
• Directive 2006/24/EC of 21 February 2006, European Parliament and Council on the retention of data
generated or processed in connection with the provision of publicly available electronic communications or
public communications networks by Council amending Directive 2002/58/EC.
• Regulation (EC) No 45/2001 of the European Parliament and the Council of 18 December 2000 on the
Protection of Individuals with regard to the processing of personal data by the institutions and bodies and on
the free movement of such data.
More information: http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm
Instituto Nacional
de Tecnologías
de la Comunicación
It is important to note that the recent meeting held by the Strasbourg authorities
responsible for the protection of personal data in Europe, addresses the importance of
data security in such services, blogs, social networks, and other advanced Internet
services and the need for policy solutions and technology, at an international level, to
ensure adequate protection of the rights to users.
In this regard, the authorities gathered here have expressed publicly their decision to
address the phenomenon of social networks and similar services, located to take in
November 2009 a conference in Madrid (Spain), which addresses the possible drafting of
a International Treaty on Protection of Personal Data, 78 which provide an extraterritorial
regulation that is appropriate to the characteristics of such services.
In this regard, the Director at the Spring Conference of European authorities on data
protection (Rome, 2008) highlighted some relevant points from the viewpoint of this study.
On one hand, it is clear that even if the citizens does not know precisely define the scope
and nature of the fundamental right to data protection sense, recognize and identify as
soon as it is threatened and put at risk and are concerned about the security of personal
data on the Web
Moreover, although the users are aware of the existence of privacy policies online, the
number of accesses to the pages of privacy policies is low, almost marginal. Privacy
Policies occupy hide spaces in sites and more of the times are unintelligible. Therefore, it
is clear that people know the actual content and implications of these privacy policies. On
Internet, no one can speak of an agreement based on credible or reliable information. The
same applies to trails for navigation, cookies; and the indifference to these treatments
disappears when it cause a clear risk.
This state of affairs requires proposing, shared international standards to ensure effective
protection of universal rights to users.
Although this has a no normative value, it requires special mention the Communication
on the promotion of data protection technologies by protecting the right to privacy
(PET) from May 2, 2007 79 carried out by the Commission of the European Parliament,
77
A clear example is the case with the ruling in the case of Ms. Lindqvist, accused of having breached the
Swedish legislation on the protection of personal data published on its website various personal data on
several individuals as It worked voluntarily with a parish of the Protestant Church of Sweden. This lady has
learned computer basics and design a web page of information kept in the parish who came to report on the
health of a community member. Responding to the questions the Court identified the presence of a processing
of personal data under the Directive.
78
For more information Agencia Española de Protección de Datos.
79
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2007:0228:FIN:ES:PDF
Instituto Nacional
de Tecnologías
de la Comunicación
introducing a clear example of the protection of the rights to data protection and privacy of
users, using tools called "PET".
The "Technology protection of the right to privacy" (PET) technology systems are
designed to reduce and, where appropriate, removing the impact of new information
technologies on the rights to data protection and privacy of users, without undermining
respect for the capabilities of technological systems. Some examples of PET:
• Automatic Data Dissociation. The data should be stored in a format that allows the
person concerned, only to maintain it for the time necessary for the purposes for which
it was originally obtained. Thus, once users are not active will be therefore necessary
to decouple their data.
• The use of encryption, prevent unauthorized access to information transmitted over

the Internet, thus avoiding the unauthorized and unlawful treatment of personal data
published on the Internet.
• Invalidating the use of cookies, and prevent the website to install automatically on the
user's computers, without its knowledge, to gather all information and statistics if the
accesses that the user takes place during its navigation.
• The Platform for Privacy Preferences (P3P), which allows users to analyze and
compare the privacy policies of websites you visit, giving a report on the adequacy of
these regulations.
• The identity management systems that allow the control of users of the revealed data
in every transaction, such as those promoted by the project PRIME (Privacy and
Identity Management for Europe).
As mentioned in the Commission of Communication, the role of e-Government for

Europe's future, e-Government PET should be used to generate the necessary confidence
and provide a satisfactory service.
United States of America
In the U.S. case, the first rule for the protection of privacy on the Internet, was the
"Electronic Communications Privacy Act” (ECPA), which ran from 1986 and sets out
the normative basis as regards the regulation of privacy in electronic communications of
users as well as the specific limits regarding the possibilities of access by the public to
electronic communications of users.
Instituto Nacional
de Tecnologías
de la Comunicación
In 1994, was published "The Computer Fraud and Abuse Act”, modifying the above
mentioned, and defining and regulating more closely the various aspects related to
information security with respect of viruses, spyware and various forms of malware
circulating by the network and potentially jeopardize the integrity of privacy of users of
online services.
In 1998, the federal government published the "Children's Online Privacy Protection
Act” (COPPA), which regulates more clearly protectionist and privacy of users of online
services for underage persons by ensuring that all Service have content that should be
targeted specifically to children under 13 years, will be the responsible for the adequacy of
these same ages.
Similarly, it provides that, children that have to provide personal information in a website
must be reported clearly and in comprehensively form about what are the purposes for
which they have requested those data, as well as the provision of guardians of underage,
simple and free to know the kind of data provided by the child and to remove or update
their data.
In 2001, following the attacks of September 11, the federal government published the
"USA Patriot Act” (UPA), in force since October 24, 2001 the "Cyber Security
Enhancement Act” (CSEA), by authorizing the intervention by the government, of any
electronic communication (regardless of the format in which it is), telephone, searches on
Internet, as in search engines, etc, without been necessary to have a prior judicial
authorization, which has led to a marked decline of civil and political rights for the security
of citizens.
Furthermore, it is worth noting the publication of "Controlling Assault of Non-Request

Pornography and Marketing", in force since May 17, 2002 and had recently been
amended and supplemented to some extent by the "Keeping the Internet Devoid of
Sexual Predators", submitted for signature by the president of the United States on
October 3, 2008. This rule is intended to allow the Attorney General to go to the
registration of sex offenders to find matches to cases of attempted abuse in their own
social networks and in any similar online tool, which has caused an immediate reaction of
the various social networks that operate in the United States, expressing its readiness and
full cooperation with the Security Forces in the search and removal of profiles of people
suspected dangerous for children 80 .
Finally, it should be noted the "Can Spam Act" A main focus of the enactment of this Act
has been the homogenization of the spam legislation in the U.S., where he began to
proliferate with various State laws approaches to the problem, they all abolished with the
80
For more information; http://blog.facebook.com/blog.php?post=34342042130
Instituto Nacional
de Tecnologías
de la Comunicación
entry into force of the "CAN SPAM Act”. This law establishes a series of guarantees that
basically are:
• Mandatory labeling, if the messages of advertisements or pornographic.
• Prohibition of forgery of the message headers, which identifies the issues thereof,
together with the completion of misleading subject field.
• Prohibition of surreptitious use of other personal computer for sending commercial

electronic communications.
• Ban collect email addresses without the consent of the affected and the use of
"technical dictionary" (training for recipient addresses through dictionaries of
names).
National Regulations
In Spain, the regulation on protection of personal data is focused mainly in two standards:
• Law 15/1999 of December 13, Protection of Personal Data (LOPD).
• Royal Decree 1720/2007 of December 21, by approving the development

regulation of the Organic Law on Data Protection (RDLOPD).
There are also sector-specific rules in areas such as health, telecommunications and
finance. However, the following rules are designed in a very particular on social networks:
• Law 34/2002 of July 11, Services Information Society and Electronic

Commerce (LSSI-CE).
• Law 32/2003 of November 3, General de Telecommunications.
• Law 25/2007 of October 18, Conservation Information related to electronic

communications and public communications networks.
• Law 56/2007, of December 28, Measures to Promote the Information Society.
In accordance with the provisions of Law 15/1999, of December 13, Protection of

Personal Data (LOPD), the object of the rule is to "... ensure and protect, with regard to
processing of data personal, civil liberties and fundamental rights to individuals and
especially of their honor and personal and family privacy. "
Any processing of personal data must meet a set of basic principles:
Instituto Nacional
de Tecnologías
de la Comunicación
• Data quality: is essential that the data processed is adequate, relevant and not
excessive in relation to the scope and purposes specified, explicit and legitimate
purposes for which they were obtained, and may not be used for purposes
incompatible with those for that the data were collected. Data must respond truthfully
to the current situation of the person concerned must rectify if there are errors. They
may only be collected for compliance purposes specified, explicit and legitimate
purposes of the data, prohibiting the collection of data through fraudulent, illegal or
unfair methods. Moreover, the manager must keep personal information as long as the
purpose and cancel when it stops.
• Information on collecting data, the concerned will be informed at the time in which
to collect their data, the scope of treatment to be performed. Article 5 of LOPD
provides that "interested parties requested should be explicitly, precise and
unambiguous in an informed:
a) The existence of a file or processing of personal data, the purpose of collecting

them and the recipients of information.
b) The obligatory or optional nature of his response to questions posed.
c) The consequences of obtaining data or a refusal to supply them.
d) The possibility of exercising rights to access, rectification, cancellation and

opposition.
e) The identity and address of the controller or, where appropriate, their
representative”.
• Or consent of the affected or expression of will, freely given specific and informed
by the concerned consents to the processing of their personal data.
• Specially protected data, this principle refers to personal data that reveal the
ideology, trade union membership, religion, beliefs, -the case that consent must be
expressed and written for those referred to race, health, and sexual life- treatment for
which consent is required, and those related to the commission of criminal or
administrative.
• Data security, all companies, organizations, associations and institutions, public and
private, that store, process and access to files of personal data, should implement
security measures and organizational techniques to ensure the confidentiality, integrity
and availability of information.
Instituto Nacional
de Tecnologías
de la Comunicación
• Duty of confidentiality includes the obligations of secrecy, confidentiality and care

incumbent upon those who process data and, in particular, for those who their
functions is to access files containing personal data.
• Data communication is "any disclosure of data made to a person other than the
affected or interested." Personal data subject of the treatment may only be
communicated to a third party for compliance purposes directly related to the
legitimate functions of the assignor and the assignee's prior consent.
• Data access for third parties, involves the provision of a service responsible for the
file by a third company called the processor, which accesses the data file to fulfill the
delivery contract, on behalf of account and according to the instructions given by the
File Responsible.
Before making a complete analysis regarding the application of standards should take into
account the extraterritorial aspect of the services of the Information Society.
Since the vast majority of providers of such services operate from outside the EU (mainly
them operate in the U.S.) it has been analyzed whether it is possible to require social
networks their enforcement to community rules. In this sense, the legislation provides that
it shall apply:
• When data processing takes place in Spain through an establishment of the

treatment.
• In the event that the responsible of data treatment is not in the Spanish territory,
but it is directly applicable the Spanish law through international agreements.
• When the controller is not established within the territory of the European Union
and used in data processing, media or elements located in Spanish territory,
unless such facilities are used solely for transit purposes.
It must be considered that in Spain, the law in relation to service providers, on legal and
practical grounds, admits the possibility to apply the national data protection regulations,
regardless of the location of where providers operate.
On the one hand, the Orgánic Act 15/1999 on Protection of Personal Data states that
there are two cases where responsibility applies to entities outside the EU/EEA: First,
when treatment is carried out in the framework of the activities of an establishment of the
provider in Spanish territory and, secondly, when the media is used in that territory.
Instituto Nacional
de Tecnologías
de la Comunicación
In this regard, the Working Group on Article 29 has called its "Opinion on data
protection issues in relation to search engines” 81 . This opinion contains a number of
criteria to define when one considers that there is an agency of:
"The existence of an "agency" means the effective and real exercise of activity through
stable arrangements. The legal form of agency (a local office, a subsidiary with legal
representation or a third party) is not decisive. However, another requirement is that the
processing operation is conducted "under the" agency. This means that the agency
should also play an important role in specific processing operation. This is clearly the case
when:
• an agency is responsible for relations with users of the browser in a particular

jurisdiction;
• a search provider to establish an office in a Member State (EEA) involved in the sale
of ads targeted to people in that state;
• the agency of a provider of search engine meets the judicial and/or requests for
enforcement by the competent authorities of a Member State in relation to user data”
Furthermore, as regards the provision of services by suppliers outside the EU using in that
territory, the document contains a number of criteria. As the document states, "data
centers located in the territory of a Member State can be used for storage and processing
of personal data remotely. Other kind of media could be the use of personal computers,
terminals and servers. The use of cookies and similar devices software from an online
service provider can also be seen as a resource to media on the territory of the Member
State.
Also in 2002, the Working Group adopted a document about “the international
implementation of EU legislation on data protection to personal data on Internet
sites based outside the EU "(WP 56)” 82 . Given the complexity of this area and the
dynamic Internet environment, this paper provides a tool and reference point for data on
the examination of cases involving the processing of personal data on Internet sites based
outside of the European Union.
In the same way, the LSSI-CE provides its application to "service providers established in
a State outside the European Union or European Economic Area." Thus, Article 4
stipulates that these providers will be implementing the articles on the free provision of
81
https://www.agpd.es/portalweb/canaldocumentacion/internacional/common/pdf/WP_148_Dictamen_Buscad
ores_es.pdf
82
WP 56, http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2002/wp56_en.pdf
Instituto Nacional
de Tecnologías
de la Comunicación
services and collaboration of providers of intermediation services to disrupt the service or

remove certain content if it was declared a competent authority on Spanish the legality of
them.
And also, if their application provides its services specifically targeted to Spanish territory,
provided that this is not contrary to international conventions.
For purposes of determining whether the service providers run their services specifically
to Spanish territory, has addressed several elements:
• If they have the domain name extension. Nic.es or is registered to operate through
domain names "es.redsocial.com" or "redsocial.com / es"
• If the site is located in Spanish.
• If they have a specific Privacy Policy.
• If the website by its appearance and content, could lead to suggest that is focused on
the Spanish territory.
• If the advertising is for products and services distributed in Spain.
• If the number of Spanish users is higher on the web statistics.
• If offices or commercial agents process personal data in the national territory.
• If the service uses servers in Spain.
In this context, the Spanish Agency for Data Protection has affirmed its competence to
apply these rules to service providers established outside the EEA regarding the provision
of free email services 83 .
3.2.3 Possible risks on social networks. ¿How does personal data could be
affected?
The risks identified below, do not necessarily show that the service provider commits
abuses unless that the facts show that usually the default configuration of their services
usually offers a low standard of privacy.
The consent provided is valid at the time when the user decides to accept the Privacy
Policy and terms of use, contained in the registration form of the platform. The user must
have to pay attention to the content and its consequences, this in order to make every
83
Case E/01544/2007.
Instituto Nacional
de Tecnologías
de la Comunicación
policy transparent, accessible and clear for the understanding of the users. The AEPD has
insisted about this matter on its "Declaration of search engine’s”, as well as in the
"Resolution about free email".
Similarly, users should always evaluate what kind of data is provided in the platform and
published on their profiles, because it does not have the same significance for the
treatment of the platform of basic personal data (as name, address, phone, etc) than other
more sensitive information (income level, credit receipts, trade union or political affiliation,
health, sex life, etc), where the level of protection and awareness by the user must be
higher, because this information belongs to the most intimate sphere of their lives.
Thus, although the information contained in user profiles is fed directly by them, it is
necessary to consider what are the main risks that may result from the use of such
platforms.
As a general rule, it should be noted that social networks and collaborative platforms have
legal notices, terms of use and privacy policies, although sometimes are written in a
technical language difficult to understand for most of the users. In this way, despite of
being listed on the website, those do not reach their ultimate goal: that is that the user
completely understands the subject, purpose and terms for which they have
collected and processed their personal data.
The first critical moment for the protection of personal data is in the initial registration
of the user, if this provides the information necessary to operate in the social network, the
data provided may be subject to several risks:
• That the information requested on the registration form, could be excessive. It

must be noted that often, social networks request new users data related to their
political ideology, sexual orientation and religious preference. As these data are free to
insert, users must consider the implications this can bring to their lives and those
around them, as them could be visible for all his contacts. Therefore the users and
those responsible of social networks should limit and control all the time that the extent
and significance data is not extreme. It should be noted that Article 7 of the LOPD
requires an express written consent in respect to data related to ideology, religion or
belief, expressed in health, race and sex life.
• That the level of publicity of the user profile is too high. At the time of the initial
registration it is when it should be properly configured the level of publicity, to
determine who will be able to access to all the information published. All networks are
analyzed, and enabled by default in the lowest level of privacy, what give as a result
Instituto Nacional
de Tecnologías
de la Comunicación
that the access is completely public and generates a serious risk to the security for the
users.
• That the purpose of the data is not correctly identified. Often privacy policies in
such platforms, define the purposes for which the personal data are collected and
processed, but is generally and completely unclear what may or may not process this
data, which poses another serious risk.
• International transfer of data. As it was mentioned, it is common that platforms are

located outside the EU, mainly in the U.S., which means that at the time of the user
registration, data is transferred to servers and offices located in this country. It is
therefore essential that the privacy policies of the service provider ensure an adequate
standard of protection. Alongside, is possible that platforms give their databases to
third parties, to conduct campaigns sending unauthorized communications (spam) or
carrying out another kind of treatment that enjoys a less protection in the country in
which data are processed. This should be take care of, by the user, as a criterion for
choosing a social network.
The second stage is considered critical for the protection of personal data is the
intermediate stage, is where the user is active in the platform and uses its tools and
services. At this time, the issues that may jeopardize the security and protection of
personal data of users are:
• The publication of excessive personal information (own or of a third party). At this

stage remains the potential risk associated with excessive publication of personal
information by users.
It also must take care about the possibility that users will also publish information
regarding third parties, which may involve the processing and transfer of public data
that people have not given consent to do so.
The AEPD sanctioned the collection and publication of images of others in

collaborative platforms without the consent of the affected persons 84 .
In the same way, the AEPD has recognized claims against responsible of websites by
canceling data that had been supplied by third parties in online environments 85 .
84
Spanish Data Protection Agency Decission Resolución de la Agencia Española de Protección de Datos PS/00117/2008.
85
TD/00266/2007.
Instituto Nacional
de Tecnologías
de la Comunicación
• The installation and use of cookies without the user's knowledge. Often in social
networks and similar platforms use this files to have the possibility to store certain
information about users and the way of navigation through the website.
These files are installed on users' computers, making possible to detect the location
from which the user has accessed, the kind of device used (fix or mobile), the content
accessed, the most visited pages, actions undertaken during a normal browsing, and
the time spent on each page, among many other features.
This way of collecting data works automatically, not as the forms filled in websites.
The IP address 86 from which the user connects to the Internet is considered by the
Spanish Agency for Data Protection as a personal data, insofar as it can be linked to
an identifiable person, that is to be understood therefore that through the possibility to
obtain information regarding the uses and browsing habits of users in a website, which
provides a very valuable tool in terms of marketing and advertising.
• Web “Beacons” 87
. Are electronic images that allow the site to know who and what
has been viewed the online content. Normally these images are included in emails,
ads, etc. Depending on the kind of access, this information might include the following:
o IP address and origin of the connection.
o Mailing application that is used.
o OS.
o Moment in which the connection is realized and/or the web site is viewed.
o Information about valid email addresses.
These and other information obtained can be used for different purposes, even as
attacks against the user (taking advantage of the known vulnerabilities in the
software), confirmation of email addresses (for sending bulk junk e-mail, marketing
of databases), etc.
86
The IP address consists of a series of four numbers between 0 and 255 separated by dots that identifies a
computer connected to the Internet. Obviously, this system is not used for navigation by the difficulties in this
series of memory recall. In its place, the DNS (Domain Name System or Domain Name System) translates
these numbers to web addresses, as normally used in browsers, which are easy to recognize and remember.
87
A Web bug or web beacon is a tiny image on a web page or in an email that is designed to control who
reads the message. Its size is negligible and may be a pixel, transparent GIF format. Are represented as
HTML tags. A web bug can have some information about the user (visitor to website or reader email).
Instituto Nacional
de Tecnologías
de la Comunicación
• Internet search engines automatically index the user profile. Most of the
platforms analyzed for this study, and by the interviews made, allow to the main
Internet search engines to index the user profiles with no restrictions in the Web
In some cases the index includes the name of the registered user (nickname), a
profile picture and the real name, as pictures of friends or contacts related, with an
invitation to join the network attached.
This fact poses a threat to the protection of personal data, because basic information
and key contacts are exposed in a public network, that is accessible by any user and
the data and information there exposed could become used in an uncontrollable way
by a third party, that are not in the "closed circle" of the social network’s users.
In addition it should be considered that the Spanish Agency of Data Protection has
protected the right to oppose the indexing of names or other personal data on
search engines that as automatic data process, it must conform all the obligations
under the existing legislation 88 .
• Receiving hyper contextualized advertising. Online advertising is a commercial

model currently used by social networks. They can determine a degree of accuracy
in respect of almost all kind of products and services that the user is going to look
for, the information provided in this method via automatic and through an application
of indexing algorithms based on the "boolean" logic 89 .
• The receipt of unsolicited electronic communications (spam). Spammers as

sources of information are using social networks and personal data that is
subsequently target for unwanted communications. There are several types of spam
in social networks:
First, when the user starts to operate on the platform and subscribes to several
applications or groups, those groups give the option to send multiple invitations to all
his contacts.
By this way, the user is sending to their contacts many communications; although in
a first time it does not seem to have an eminently commercial effect, but making an
analysis of it, this action reports main financial amounts for the platforms and
developers of such applications, whose value increases to the extent of the number
of users which the communication has effectively sent by the user.
88
TD/00463/2007
89
This is an algebraic system defined on a set B, which contains two or more elements, and between which
are defined two operations called sum operation or OR (+) and multiplication or product or transaction AND "
(+).
Instituto Nacional
de Tecnologías
de la Comunicación
The second assumption is that the users allow the applications to access to their
address books and send emails to all their contacts and an email inviting to
register in the social network.
The Spanish Agency of Data Protection has indicated the cases to distinguish when
a communication has a commercial format and content; if the IP address from which
the communication is sent, draws directly from the platform, and if those who receive
it, does not have expressed their consent to do so, it would be a case of unwanted
electronic communications or spam 90 .
Moreover, when a user acknowledges for invitations of unregistered users in the

platform to become a new member, this action could be interpreted as a form of
electronic communication that is not desired, but should address the specific
circumstances for each case.
• The impersonation of the identity of users in social networks. The term of

identity impersonation as a recorded crime in our criminal laws, adopts a new
significance in the online world, usually there are many cases of users who have
several "digital identities".
Of course this is not always a negative situation, until the possibility that another
person could register the identity of another person. In this regard, some measures
are discussed in the chapter of Recommendations of this Study.
The third critical stage in where the personal data of users are protected is at the
moment when the user intends to unsubscribe of the service. At this time, many factors
that may jeopardize the security and protection of personal data from users, as:
• The impossibility to perform a successful unsubscribe of the service. Having

analyzed the processes of register and unsubscribe of social networks, it has been
detected in some cases, in despite of the decline of the service request and in
accordance with the Privacy Policy in some platforms, the unsubscribe of the service
was not made out effectively, keeping the personal data of users available to the
social network.
90
In this case we must consider the recent decision of the Spanish Agency for Data Protection. The key to
resolution is in the following paragraph "The mailings that the complainant says that he has received for a
continuous campaign to capture customers that promotes the defendant. The campaign is to offer registered
users the ability to recommend friends and family services initiatives through the virtual site, which exists in
such an easy site that allows one to refer to an email address informational message inviting the recipient to
register with it. The recipient receives the message that includes a button that links directly to the customer
registration page.”
Instituto Nacional
de Tecnologías
de la Comunicación
Often the user that attempts to unsubscribe of the service, find complex procedures
that in any way related with the register procedure of the electronic platform.
• The data retention and compliance with the principle of data quality. Finally, the
potential risk posed by the fact that social networks and other providers of
information society, retain traffic data generated by users in their systems for a
later use with the purpose to know their preferences and to perform contextual
advertising with the content of their communications, affecting in this way the
principle of data quality.
In this regard, the Working Group of the Article 29 in its "Opinion about data
protection issues in relation with search engines”, such as the AEPD on its
"Statement of Internet Search Engines” 91 , published on December 1, 2007, talk
about the issue of retention of personal data of users. The concern of the authorities
on the data protection has caused that during the month of September 2008 one of
the main Internet’s search engines have agreed to keep the personal data of users
over a period of 9 months. However, social networks have not yet ruled on the
matter, saying only that their privacy data will be treated while the duration of the
relationship between them and the platform, thus obviating the information regarding
the specific period of conservation.
Although the particular case of social networks is not identical as the one of search
engines, we can conclude that social networks, and services of the Information
Society, should be subject to the application of data protection legislation and that
should address the basic principles of the legislations, such as the principle of data
quality, to the extent of keeping the data on their servers indefinitely, the principle
of consent, to the extent that they can not treat personal data without having the
consent of the holder with the data and the information principle, in so far as to
report in a clear and understandable form to all users about what they will do with
their data and the right to respect them at any time.
3.2.4 Vulnerable Groups. Underage and legally incapacitated persons.

With regard of the existing measures related to protection of personal data a special
protection is particularly for vulnerable groups that are considered -underage and legally
incapacitated persons-, it should be noted that from this point of view, it is particularly
important the publication of Law 1720/2007 that approves the new Regulation of
Development of the Organic Law on Data Protection (RDLOPD). Until it came into effect,
in Spain there was no explicit reference for data protection for underage persons.
91
https://www.agpd.es/portalweb/canaldocumentacion/recomendaciones/common/pdfs/declaracion_aepd_busc
adores.pdf
Instituto Nacional
de Tecnologías
de la Comunicación
The new regulation introduces a main specialty with regard to the provision for the
consent of children by providing that the data obtained that correspond to anyone
under 14 years, requires the consent of parents or guardians.
The regulation also states explicitly that when collecting the child's consent it should
be a simple and easily to understood and that it cannot be obtained from children
information about their relatives.
The person responsible that collects and processes personal data of under age persons is
liable for articulating the methods to ensure that the age of the person has been
effective proved, or that the age and authenticity of the consent given by their parents,
guardians or legal representatives were appropriate.
These policy measures imply that social networks and collaborative platforms require
technological means to guarantee identification of the age of users.
However, in despite of the obligation before mentioned imposed, if service providers,

manufacturers and distributors of security solutions and non-governmental entities do not
implement effective systems for the identification of underage persons, and therefore their
process of data, is an imminent risk because that they might be being treated data that
has not been given by an valid consent.
One case of this matter has been fined by the Spanish Agency of Data Protection
because of the lack of diligence when an entity do not made the appropriate identification
of the data gave by an underage person. It takes place in a website, and the treatment of
the data were used to send advertising 92 .
With regard to possible situations that may involve risk of negative aspects to the security
and privacy of underage and legally incapacitated persons, such as the publication of
personal and family information, the need to advance in the technological research and
development for new measures to effectively identification of the age of the persons,
reach an effective solution that does not hind the development of the Information Society
in young people.
However, this matter not just implies technological solutions, as the Director of the
Spanish Agency of Data Protection 93 on its intervention before the XXX International
Conference of Data Protection Authorities said, the risks of minors on the Internet are
based largely on an educational deficit by the unknown control over information.
92
PS/00281/2007
93
30th International Conference of Data Protection and Privacy Commissioners in Strasbourg.
http://www.privacyconference2008.org/
Instituto Nacional
de Tecnologías
de la Comunicación
The current training for minors in the use of new technologies is insufficient. At the basic
school, children are not advised about the way of how to control the personal information
or to identify risks in the Information Society. The training over data protection has not
been inserted in the scholar programs and it now necessary a real and effective
compromise of national and local entities and educational.
3.2.5 Measures taken to protect the personal data of users.

As the responsible of social networks that for this study had been interviewed, for the
proper protection of personal data of users, it is imperative to values the data find that
users publish in their profile. They consider of extreme importance that public and private
organizations make, from the moment when the record of a new user is created advice
and aware them about the dangers of excessive publication of content.
In a technical level, the before mentioned includes the following matters:
• Eliminate obsolete data that may exist on different servers and to encrypt those
who are still in use, thus as minimizing the damage that may result from an attack
from the outside from malicious users
• Establish mechanisms for the analysis of the strength of the password so as to

force the user to select a key one that is not easily decipherable by third parties 94 .
• Decoupling the data contained of the user profile, so in case of unauthorized

accesses made by third parties it would not imply that those parties have the
access to user data and their use, and that it could be for malicious purposes.
• Create categories for an effective profiles control (what kind of data could be
allowed to be visible to other users
o Limiting the degree or advertising on a user's profile.
The possibility to regulate and limit scope of advertising in a profile, allows to

the user to adjust their degree of exposure of personal information and data
incorporated into the platform with respect to other users. This measure
gives the user real control over the information included in the platform.
o Restrict or indexing profiles by the main Internet search engines.
This measure protects users of a particular platform of indiscriminate

searches that sometimes are conducted via search engines and that at any
94
Document “Recomendaciones para la creación y uso de contraseñas seguras” by “Observatorio de la
Seguridad de la Información de INTECO” has relevant information the use of passwords.
Instituto Nacional
de Tecnologías
de la Comunicación
given time can provide the personal information provided in the social
network.
o Limiting the geographical consult of a profile.
o Limiting the amount of data that users can introduce: for example some
platforms decide to operate with a profiles nickname or alias deciding to
who users they will shoe to (example: vi.vu).
Studies and other actions:
• Measures by which users can report situations in which their personal data and
privacy has been involved. Every network must have a department for this matters to
in an automated manner, in a first phase, this content could be locked and then in a
second phase become individually analyzed. This allows to users to instantly claim for
any possible breach of privacy or misuse of personal data.
• When social networks collect data and information about their users, platforms should
be guided by the principle of moderation, so that only request the data what them
really consider relevant for the purpose of the platform.
• It is also necessary to point out that some Internet service platforms are beginning to
initiate training and awareness programs in schools and outside schools, with the aim
of ensuring that both teachers and students fully aware of all the benefits and risks
that may involve the use of such service.
3.3 Intellectual Property protection in social networks
The ease of reproduction and distribution over the Internet, makes the web a main mean
for the growth as a main challenge as regards the control and protection of copyright. The
contents are in digital format and, therefore, their distribution and public communication is
much more easily than in other format.
The content generation model has varied greatly in respect to the ones existing before by
the emergence of Web 2.0, because now, the contents are not generated by only the
authors now anyone has the possibility to generate and disseminate his works of
intellectual property, and becoming a potential author, producer and distributor.
Instituto Nacional
de Tecnologías
de la Comunicación
Social networks, particularly the collaborative multimedia platforms as Youtube,

Dalealplay.com, MySpace, Google video, Redkaraoke, etc., are the best example of the
possibilities offered by these platforms to authors 95 .

Considering the protection of intellectual property law services in the Information Society
should take into consideration the following premises:
• The author is considered as the natural or legal person who creates a work.
• The intellectual property of a literary, artistic or scientific work, for the author is
given by the mere fact of its creation.
• Intellectual property rights are composed of personal rights and exploitation rights
over the work.
• Those considered works of intellectual property are the literary, artistic or scientific
works.
The protection is addressed, therefore, by the right that the author has over his
literary, artistic or scientific work.
The protection includes of moral rights, such as property rights, giving the author's full
willingness and the exclusive right to exclusive exploitation of their works.
• Moral rights: are those rights inherent to the person and therefore inalienable,
and includes the "paternity" of the work, the integrity of the community, the
decision on its spreading and recognition of their authorship.
• Economic rights: rights that are economically quantifiable and can be arranged
by holders (natural persons and legal entities). These rights are related to the
activities of reproduction, distribution, public communication and transformation.
In this sense, the owner is the person entitled to authorize the reproduction,
transmission or making available of a work of intellectual property ownership, 96 and
being limited by the possibilities given by the right to quote, and private temporary
reproductions or copies, among other.
95
From "Web 2.0, The Business of Social Networks" held by the Foundation for Innovation and Bankinter
Fundación Accenture, published in 2007.
96
Art.2 Law 1/1996, of Intellectual Property.
Instituto Nacional
de Tecnologías
de la Comunicación
3.3.2 Legal framework: regulations and its evolution.

The objectives of the legislation of intellectual property are aimed to protect the rights to
artistic, scientific or literary works of authors and others persons implied with the works 97 .
International Regulation
International regulation on intellectual property is in a clearly advantageous level over

other aspects analyzed in this study. Thus, in the year of 1996, frameworks were
purposed by the World Intellectual Property Organization -WIPO- the adoption of two
treaties to regulate the field globally:
• WIPO Copyright Treaty, which entered into force on March 6, 2002. Its purpose is
defined by the protection of literary and artistic works such as books, software, music,
photographic works, plastic works and cinematographic works.
• WIPO Performances and Phonograms, which entered into force on May 10, 2002.
Designed to protect the rights to producers of phonograms and the rights to
performers when their work is fixed in any medium.
These standards represent a main advance in the modernization of international law, to

give greater protection to the rights to authors, and to establish some basic criteria and
standards development and implementation of measures to protect intellectual property
services of the Information Society, and became commonly known as the "Internet
Treaties".
Both treaties require the establishment of a framework of basic rights, allowing creators to
exert control and/or receive payment for the ways in which them are used. But the most
important factor is the adequate and effective protection that the treaties granted to
holders of these rights when their works are disseminated using new technologies and
communication systems such as the Internet. In this sense, the Treaty provides:
• The reproduction right is applicable to digital and storing material in digital form in an
electronic environment.
• That the rights holders can verify if individual consumers have access to their online
creations and how, for example: from their homes via the Internet.
To maintain a balance of interests between rights holders and consumers specifies that
States have the flexibility to establish exceptions or limitations to rights in the digital
environment, for uses considered as of public interest and/or for educational research.
97
Art. 1 Law 1/1996, of Intellectual Property.
Instituto Nacional
de Tecnologías
de la Comunicación
This legislation does not explicitly regulate the services of the Information Society under
consideration in this report, social networking and collaborative Websites, since at the
time of adoption of these advanced services did not exist in that stage.
U.S. the basic rule of protection of intellectual property rights is the Digital Millennium
Copyright Act (hereinafter DMCA) of 28 October 1998, which provides exemption from
liability of Internet service providers or ISPs in respect to the information transmitted,
stored or disseminated by users through their information systems. This disclaimer, which
is recognized in most parts of the world, applies as long as the Internet service provider:
• Do not have knowledge or get economic benefit from the illegal activity.
• Have a policy on intellectual property published on its website which is accessible by

users and,
• Have a responsibility to address complaints of infringement of rights.
European legislation
In an European level, within the legal areas of intellectual property and new technologies,
the Directive 2001/29/EC of the European Parliament and the Council of 22 May 2001
on the harmonization of certain aspects of the rights to copyright and rights related
to copyright in the information 98 society, under which Member States have exclusive
right to authorize or prohibit direct or indirect, temporary or permanent reproduction by any
means and in any form, extends to social networks and all this kind of platforms.
Similarly, it provides that Member States shall, on behalf of authors, the exclusive right to
authorize or prohibit any communication of their works, by a wire or wireless way,
including making available to the public of their works.
National legislation
Like most of the rules of the surrounding countries, the Intellectual Property Act grants to
authors of works on these exclusive rights, meaning that any process, reproduction,
transmission or availability of the work shall be done with the permission of rights holders.
Both, the national legislation, such as community, part of a high degree of restriction of the
rights to use, so that nobody can exploit intellectual property rights without permission
from the author.
98
Complete Text Directive 2001/29/CE will be availble at: http://eur-lex.europa.eu
Instituto Nacional
de Tecnologías
de la Comunicación
From the point of view, Spain has a great list of rules aimed at protecting intellectual
property rights to authors and, more specifically, for the protection of intellectual property
services in the Information Society:
• Royal Decree 1 / 1996 of April 12, by approving the text of the Intellectual
Property Law (LPI), regularizing, clarifying and harmonizing the existing legislation
on the subject, as amended by Law 23 / 2006, July 7.
• Law 34/2002 of July 11, Services Information Society and Electronic

Commerce (LSSI-CE).
• Law 56/2007, of December 28, Measures to Promote the Information Society

(LISI).
• Organic Law 15/2003 of November 25, amending the Organic Law 10/1995 of
November 23, Criminal Code.
However, despite the fact that it is newly updated rules, to regulate the use being made of
any intellectual property through the services of the Information Society, there are several
difficulties in the implementation of achieve the full protection of the rights to authors, with
situations in which works with intellectual property are reported publicly or reproduced
without the prior permission of the author.
To minimize these situations, the Law of Services of the Information Society and
Electronic Commerce (LSSI-CE) states that "providers of intermediation services are not
obliged to monitor content that host, or transmit classified into a directory links, but should
cooperate with public authorities, when they were required to interrupt the performance of
the information society or to remove content from the network may be liable if, knowing
the illegality of a certain material, do not act expeditiously to remove or block access to it."
As ISPs, social networks such as Internet service providers have the technical capacity to
control the content they hosted. Therefore, in principle can hold a general duty of
supervision and control of the content of others, as due diligence or enforcement
by the service they provide.
From the viewpoint of the criminal regulation for the protection of intellectual property, the
Organic Law 15/2003 of November 25, amending the Organic Law 10/1995 of November
23 of the Penal Code, has three behaviors related to their protection, but only those
references that are directly related to the services under study:
Instituto Nacional
de Tecnologías
de la Comunicación
• The distribution or public communication of protected content, either through the

distribution of physical copies, or making it available on the Internet without
permission from the copyright holder.
• The importation or manufacture of software or any to breach technical protection

measures in the works, i.e. any system that allows the system to skip anti-piracy or
of a particular way or website.
In relation to the protection of intellectual property and collaborative networks, the criminal
relevance criminal involved publicly and online content using P2P technology (technology
is widely used in recent times by service online streaming video) and the possibility of
creating online communities for the provision of links to download works of intellectual
property has been reviewed by the Attorney General in Circular 1/2006 on crimes against
Intellectual Property after the reform of the Organic Law 15/2003 99 , which states that the
exchange of files through P2P networks does not constitute, in principle, the requirements
to be classified as a crime against property intellectual subject that may be eligible to be
considered a tort.
The key element in determining the existence of this situation is that in principle there is
no profit directly related to the activity, the essential requirement mandated by current
regulations to be considered a crime. However, that should be addressed to the specific
circumstances of each case.
3.3.3 Probable risks. ¿How could Intellectual Property Rights be affected in a

social network?
From the point of view of the possible risks that can be produced against the protection of
the intellectual property in Internet, in general, and in the services of social networks and
collaborative platforms, in specific, the main two situations are:
• When a user who is not the legitimate holder of the intellectual property rights of
such published information publishes the contents.
• Of another side, the legal implications over the works that are ownership of the own
users and that these decide to share by these networks and public platforms.
Starting off of these considerations, the possible risks for the intellectual property are
analyzed taking care of - since it has become throughout this Study - three moments nails
in the “life” of any user in a social network: initial phase of registry, phase of participation
of the user in the social network and phase of unsubscribe of the service.
99
For more information it can unload Circulating of the General Office of the public prosecutor of the State from the Web
site: www.fiscal.es/fiscal/public
Instituto Nacional
de Tecnologías
de la Comunicación
Thus, the first critical moment for the protection of the rights to intellectual property with
respect to the contents and elaborated works the initial phase is the registry of the user,
moment at which this one, accepts the conditions of use which in principle they will govern
all its relation with the platform. The user must specifically read, understand and accepts
the conditions of use of the platform.
Although it could seem that this fact does not have special importance is essential, in the
measurement in which the users accept conditions of use frequently relative to the
protection in the matter of intellectual property, by that totally yield his rights to operation
to the platforms so that they freely use them during the legal maximum term of 5 years.
If to the before mentioned it is added that most of the analyzed platforms gather confused
conditions of use, with frequently extensive writings, of difficult understanding and that
habitually they are lodged in places of the Web site difficult for the user, the number of
users can be concluded that who read at great length and understand these legal
conditions is not high.
Therefore, is frequent that the cession of all the rights to intellectual property of the
contents created given in favour to the platform, is made in a little reflective way, which
exists a possible risk for the users who publish their works and creations in these
platforms.
The second moment in that risks for the rights to intellectual property can be produced is
in the phase of participation of the user in the platform in which can publish contents -
own or of other persons - and shared with the other users members of the social network.
At this moment several situations could be considered:
• That the own user, who publishes, has created the original content. In these
cases, the user yields (in most of the cases) his rights to exploitation over its work,
without hardly territorial limit, during a term of 5 years - maximum legal term and
without right to receive no kind of compensation for that reason. Therefore, it is
recommended that the user value a priori these performances that the social
network can make with these contents.
• That the published contents are property of third party. When a user decides to
share within the social network, a determined work that the ownership is of a third
party, does not have to forget that the platform acts in principle like mere
intermediary, reason why the responsibility of the publication of this content falls
directly on the own user.
Social networks and collaborative platforms have a great diffusion, and for the authors
this form to distribute their contents can be very advantageous. Nevertheless, the
Instituto Nacional
de Tecnologías
de la Comunicación
main problem that can be raised is that there are no effective forms to control and to
obtain a direct compensation by the work made.
On the other hand, and independently of the ownership, the risk exists from which the
contents (own or other people's) published by the users in the platform can be
indexed by the motors search of Internet, which would entail that the diffusion was
greater and therefore than the number of reproductions increased of exponential form,
increasing, consequently, of direct form the compensation to the holder of the rights.
Finally, the third moment at which the rights to intellectual property can be seen put under
a possible risk derived from the use made in this kind of platforms, is in the phase of
unsubscribe of the service by the user.
Upon this sense, it agrees to distinguish the situation of social networks based on profiles
and the platforms of contents, since, all the contents associated to the profile of the user:
photographs, videos, works literary, etc., will be eliminated, or the access to such, will be
blocked at least at the moment at which the user asks for the unsubscribe of the service.
Nevertheless, in the case of the platforms of contents, the members can get to publish
works without being associated directly to their profile, which can cause that, although the
user asks for the unsubscribe of the service, the content publicly remains accessible.
The cession of rights in favour to the platform would continue effective, reason why this
one will be able to continue benefiting from the contents given by the users.
3.3.4 Groups specially protected. Underage and legally incapacitated persons.

With regards to the group of underage and legally incapacitated persons the Real
Legislative Decree 1/1996, of 12 of April, that approves the Text of the Law of Intellectual
Property (LPI) does not establish any special part in respect to the minors and the right to
responsibility, could being able to be author of a work of intellectual property, any person
independently of its age.
Nevertheless, we have to consider that this Law states that “authors under eighteen years
and greater than sixteen, that live independently (with the consent of their parents or
guardians or with authorization of the person or institution who has them to their position)
have the total capacity to yield operation rights.”
It will be therefore necessary that those platforms, to accept the registry of users under 18
years, authenticate its majority of age or that they live on independent form according to
the requirements arranged in the effective legislation.
Other cases: Workers
Instituto Nacional
de Tecnologías
de la Comunicación
With regards to the workers, the LPI establishes in their articles the 51 100 (with respect to
the labor relations) and 97 (computer programs) forecasts for the subject work
accomplishment to a labor relation and the legitimate holder to whom belongs the
responsibility that, except for pact in opposite, usually is of the employer or legal person
that publishes it.
For the authors who are under a labor relation, it indicates two conducts from which a
series of risks can be derived:
• First of the assumptions to analyze, includes the case in which a worker discloses by
means of a social network that is working in a certain work or that anticipates of
previous form its launching.
These conducts can injure its rights to intellectual property and entail its vulnerability
of the norms expressed in the Criminal Code, since the authors of the work, on its
moral right, must be able to decide if publish or not this information, and at what time
(without entering considerations of market and competitive disadvantage).
In these cases, it is available a work that has not been finished yet and, in addition,
that it has been obtained by an illegal form, reason why the exception of the private
copy, cannot be exposed. Such case of revelation of contents would suppose the
dismissal of the worker and the possibility of civil demand to the holders of the
disclosed work.
• The case of the applications development will govern the article 97 LPI, arranges
that, in the case in which a wage-earning worker creates a computer program 101
during his day of work and do this using the means of the average, the software will
be of the ownership of the company.
3.3.5 Measures to protect the rights to intellectual property of users and third
parties.
As it has been mentioned, the Law 34/2002, of 11 of July, Services of the Society of the
Information and of Electronic Commerce (LSSI-CE) for the case of Spain like Digital
100
Sentence of the Room of the Civilian of the Supreme Court of 29 of March of 2001, has been clear when it has affirmed
that from the Art. 51 LPI that the creation and cession of an author work can be carried out by means of the contract of work
and with subjection to the labor legislation; of such form that when the result of the work is an author work the cession of this
one does not have why to include to the integrity of the rights of intellectual property, but only to main or the most excellent
ones than they are those of operation of the same in attention to its present time. Indeed in that rule it is indicated that the
fact that the industralist does not show such absolute property on the fruits of the work - in this case of a worker who creates
an original work does not prevent that this contractual relation is formed like a labor relation. Thus, the heading of the
mentioned rule of the LPI is clear when employee talks about to “the transmission of the rights of the author”.
101
The applications generated for the social networks are still software, the única difference that has with
respect to the traditional programs más, is the language of programación used in the same.
Instituto Nacional
de Tecnologías
de la Comunicación
Millennium Copyright Act (DMCA) in EE.UU, use the system of report for an infraction
of rights to intellectual property, by means of which the user can internally notify the
administrators of the platform that exists a non authorized operation of rights to intellectual
property, so that this one can verify it and in its case of retiring the content.
In this sense, and so and as some of the analyzed platforms, exist bilateral agreements
with associations of authors and great owners of organizations owners of the rights
to exploitation, by means of which those that are the own holders of the rights to
exploitation are in charge to watch, to review and in its case of retiring the contents that
harm their rights.
This measurement equips to each one with the holders with privileged accesses the
platform, as well as labeled authentication codes and of its works, of such form that are
detectable of simple form and a fast and effective performance is allowed.
Similarly, lately it is being observed like more and more the great companies of the
industry of contents are reaching bilateral agreements with the platforms from
diffusion and social networks to open channels in which to lodge and to publish
they themselves its contents, like countermeasure in front of the indiscriminate and
uncontrolled publication of contents of its property on the part of the users. Of this form it
is not avoided that they are published in the network, but the control of the published
contents is made.
This kind of measures supposes a clear representation that the market is changing and of
that the intervening agents are beginning to note in the Society of the Information, an
opportunity and not an obstacle, which without a doubt some augurs good results in the
next years, and as it recently exposes the study published by ASIMELEC, on “the Industry
of the Digital Contents 102 ”.
On the other hand, the Court of Justice of the European Communities has affirmed
that the States members when incorporating to their legal systems the directors who
protect the rights to intellectual property, in the Society of the Information, must guarantee
a right balance between the rights to the protection of personal data, the judicial
trusteeship and the property 103 .
Recently, the Study of the European Parliament, that discarded to grant “a similar as the
police officer power” to the Internet providers, have received the support of the European
Commission, indicating that the operators “cannot restrict the access of the web surfers
102
More Information: 2008 Report Digital Industry Contents. ASIMELEC
103
STJCE de 29/01/2008. Case C-276/06. Promusicae.
Instituto Nacional
de Tecnologías
de la Comunicación
nor the fundamental rights to the citizens without previous a judicial authorization” 104 ,
although the proposal is pending of definitive approval.
In the same way, and from the public point of view, in Spain, the Ministry of Culture
approved the integral Plan of the Government for the diminution and elimination of
the activities against the intellectual property, published in the BOE of 26 of April of
2005 105 , that is based on the fight against the piracy. Thus for example, they are being
centered in the platforms of illegal sharing of contents.
The Record and Audio-visual Industry has formed what they themselves have
denominated “the Coalition”, formed by SGAE, Promusicae (AIE and AGEDI), the
Federation for the Protection of the Intellectual Property, the Association of
Cinematographic Distributors (ADICAN), the Association of Distributors of Videos
(ADIVAN) and EGEDA, whose purpose is in fomenting the protection of the rights to the
authors that represents, showing special attention the vulnerabilities that have their origin
in the services of the Society of the Information.
On the other hand, the Spanish Agency of Protection of Data has formulated
recommendations on the necessity of approve a Law that allow to protect the intellectual
property of authors in conjunction with the personal data protection 106 .
3.4 Protection of Users and Consumers
The advances of social networks and collaborative platforms are modifying the
commercial practices, redefining the way to offer goods and online services by means of
the hyper contextualized publicity according to the user profiles, being diversified the
market and creating new channels of distribution.
These new business models are based on the electronic commerce can wake up a certain
degree of uncertainty in the consumers, around questions relative to the security of the
electronic transactions, to the improvement and validity of contracts, to the applicable law
or the competent jurisdiction in case of litigation, among other questions.
The following sections deepens in the analysis of these aspects informing about the
normative instruments and technological measures that exist at the moment of the service
of the consuming users/of goods and services through Internet to surely guarantee
surroundings of economic traffic and reliable that guarantees the total legality and
104
More information at Consumer Eroski Tecnologías de la Información
105
More information at www-mcu.es
106
Memory AEPD 2007, legal advice 2ª.
Instituto Nacional
de Tecnologías
de la Comunicación
transparency in the process of product purchase through Internet, in general, or of any

social network or collaborative platform.

By consumer is understood as the physical or legal person “who takes part within a
commercial activity, with the intention of acquiring a product or service to a determined
price, or is through habitual commerce or by means of transactions of electronic
commerce”.
To the effects to determine what is understood as distance “celebrated contracts”, it is

necessary to take care of the following definition: “the celebrated contracts at a distance
are those celebrated with the consumers and users within the framework of an enterprise
activity, without the simultaneous physical presence of the contractors, whenever the
supply and acceptance are made of exclusive form through any technique of remote
communication and within a system of hiring at a distance organized by the
seller” 107 .
The law has many means through which benefits of remote services can be made, being
most habitual: “the forms, with or without concrete addressee, the standardized letters, the
publicity in press with order coupon, the catalogue, the telephone - with or without human
intervention the radio, the telephone with image, video-text with keyboard or touch screen,
the electronic mail, the fax and the television”, among others.
Thus, the rights to the consumers and users, with regard to celebrated contracts at a
distance, so and as the Title III Real Legislative Decree 1/2007, of 16 of November,
General Law for the Defense of the Consumers and Users is approved and other
complementary laws, include/understand the following principles:
• Right to information.
• Right to abandon.
• Minimum warranties of the product.
• Commercial communications and false advertisements.
3.4.2 Applicable Regulations: Regulation and its evolution

The effective norm applicable to the sector of consumers and users intends to safeguard
the rights to the users and the fulfillment of the obligations imposed between the
intervening parts.
107
Concept stated in Law for the defense of users and consumers.
Instituto Nacional
de Tecnologías
de la Comunicación
International Regulations
At an international level there is not an express agreement over the matter. Nevertheless,
recommendations and assimilated guides of the OECD coming from the different
meetings between the Commerce Ministers of States. Among them it emphasizes the
OECD Consumer Protection Guidelines (the OECD Guide of Protection of
Consumers), approved in September of 1998 with a programmatic purpose in which the
basic principles settle down stops:
• To control the fraudulent commercial conducts.
• To resolve controversies and to give back objects.
• To assure the privacy the data of the consumer in the electronic transactions.
In EE.UU, from the point of view of the services of Internet in the matter of protection of
consumers and users, the competent organ is the Federal Communication Commission
(FCC) although, to date, it is not had a regulation to general level to the defense of this
group.
European Regulations
At an European level, the effective legislation in the matter of protection of consumers and
users is arranged in four Directors:
• Directive 93/13/CEE of the Council, 5 of April, on the abusive clauses in

contracts celebrated with consumers.
• Directive 99/44/CE, of 25 of May, the European Parliament and the Council, on

certain aspects of the sale and the guarantees of the consumer goods.
• Directive 97/7/CE of the European Parliament and the Council, 20 of May,

relative to the protection of the consumers in the matter of contracts at a
distance.
• Directive 85/577/CEE of the Council, 20 of December, referring to the

protection of the consumers in the case of contracts negotiated outside the
commercial establishments.
In addition, the Directive is 2000/31/CE of the European Parliament and the Council,
of 8 of June of 2000, relative one to certain legal aspects of the electronic
commerce in the inner market, object of transposition in Spain in present Law 34/2002,
Instituto Nacional
de Tecnologías
de la Comunicación
of 11 of July, Services of the Society of the Information and of Electronic Commerce

(LSSI-CE), ordered to regulate the benefit of services of the Society of the Information.
National regulations
Chronological is due the Law 7/1996, of 15 of January, Arrangement of Retail

Commerce, whose object of regulation are the remote sales, settling down that they are
that kind of sales that are made “without a simultaneous physical presence” of the parts,
whenever essential actions of the contract, like the sale and the acceptance, are made by
any way of remote and carried out communication within a system of hiring organized by
the seller.
The Real Legislative Decree 1/2007, of 16 of November, the General Law for the
Defense of the Consumers and Users and other complementary laws, without damage
of the arranged things by the LSSI-CE with regard to the electronic hiring, arrange what
information must appear in the remote sales of clear form, comprehensible and
unequivocal, before initiating the hiring procedure:
• The identity of the salesman or lender of services and his direction.
• The essential characteristics of the product or service.
• The price, including all the taxes.
• The payment method and modalities of delivery or execution.
• The existence of a right to dropping of the claim or resolution and the causes
• The cost of the use of the technique of remote communication, when it is calculated
on a base different from the basic tariff.
• The term of validity of the supply and the price.
• The minimum duration of the contract.
• In case, that the salesman arranges or it is adhered to some extrajudicial procedure

of conflict resolution.
When the user is simultaneously a consumer immediately obtains the rights contemplated
in the legislation for consumers and users, who cannot be waived and them will be
exerted automatically, although the applicable legislation is not the Spanish. This will
happen if there is a contract establishes a narrow bond with any State member.
Instituto Nacional
de Tecnologías
de la Comunicación
Remote agreements can be made including general conditions, which will have to be built-
in to the contract, to be accepted by the user and to be signed or to be accepted by both
parties. The general conditions will never prioritize over the specific ones, unless the
generals are more beneficial for the adherent. The doubts on the general conditions
always will be solved in sense that favors the adherent. In this sense, it is has to be
applied the Law 7/1998, of 13 of April, of General Conditions (LCGC).
The uses of general conditions are frequent in the online commerce. One is
adhesion contracts in which consuming users/do not have any kind of capacity of decision
and variation of the clauses, having to accept, in any case, the conditions that the seller
had arranged. It is by that the effective law tries to increase the level of protection of the
consumers/users of this kind of procedures of subscription to services.
The general clauses will not be introduced in the agreement that the adherent has not had
real opportunity to totally know, article 7 of the LCGC. For that reason, in electronic
contracts, it is important to make know its existence and location, as much at the moment
of the company/signature, before the initiation of the company/signature process. In
addition, the clauses will have to be legible, clear, simple and comprehensible, not to run
the risk of invalidity gathered in article 8 of the LCGC. When some clauses are considered
null, but with the rest and the individuals the contract can continue subsisting, this one will
not be considered ineffective.
Finally it is possible to emphasize the arranged thing by the specific norm to the regulation
of the electronic commerce in Spain, concretely in Law 34/2002, of 11 of July, Services of
the Society of the Information and of Electronic Commerce (LSSI-CE), in which one
arranges that “the contracts celebrated electronically, will produce all the effects when the
necessary consent and the other requirements for their validity concur”. In addition, the
Civil Code, the Code of Commerce and the laws before will enforce them.
3.4.3 Possible risk. ¿How do these rights could be affected?

In some cases the possible risks of a consumer -as user of social networks- can be
assumed by the own user, since is the user who maintains the control of the information
lodged in the platform or social network, which by a voluntary form has been registered in.
Based on its activity, every supplier established in Spain must fulfill certain obligations that
the LSSI-CE establishes, with the purpose of guaranteeing that its activity is made with
total transparency, without harming the rights to the users.
Thus, the Article 10 LSSI-CE gather a series of obligations in charge of the service
providers of the Society of the Information, with the intention of preserving the right to
Instituto Nacional
de Tecnologías
de la Comunicación
information to consumers and users, in respect of the goods or services that are provided.
Specifically the user, must inform about:
• Name or social denomination, address, direction of electronic mail and any other
data that allows the contact.
• The data of inscription in the Mercantile Registry.
• Data relative to authorizations, in case of being subject to it.
• If the provider practice a regulated profession, it will have to indicate: the data of the
professional school, official academic degree, place of expedition and homologation,
and if it is the case; professional norms applicable to the exercise of its profession.
• The tax identification number that corresponds to him.
• Clear and exact information about the price of the product or service, indicating if it’s
the TAX included and, if its the case, the expenses of shipment.
• The conduct codes to which it is adhered.
Another possible risk in which a consumer can be faced with, is the referred to deceptive
advertisements, which it consists in the manifestation carried out as illicit publicity and
made by any form that it induces or that could induce the consumers to commit an error,
and being able to affect his economic behavior or to harm the advertiser’s competitors.
On this matter, the Law 34/1988, of 11 of November, of General of Publicity determines all
the elements that characterize the deceptive publicity (characteristic of the goods, price,
conditions and reasons of the offer).
The acceptance of the general conditions constitutes another fundamental aspect to

consider by the consumer before agree with the service offered through a collaborative
platform or social network. As it has been indicated, the own legislation establishes the
obligation to inform to the user in a clear manner the needs over the conditions on which
the parties must be yield to.
However, the appearance of abusive clauses in a contract constitutes a defect with

transcendental legal implications between the parties. The own norm defines as abusive
clause the following one: “All those stipulations non negotiated individually and all those
practices non allowed specifically that, against the exigencies of the good faith, cause in
damage of the consumer and user an important imbalance of the rights and obligations of
the parts that are derived from the contract”.
Instituto Nacional
de Tecnologías
de la Comunicación
In any case, every contractual clause that limit the basic rights to the consumers and
users who are well-known as out of proportion in relation to the service provider or who
prevail of the enjoyment of the rights who the own norm grants, will have the character as
an abusive clause.
The development of the new technologies, together with the growth of the commercial
activity through Internet, has given rise to new abusive practices derived from the breach
in the legal dispositions that, in more extreme cases, derive in the commission of crimes
sanctioned by the criminal law.
It is obvious that any person who raises the Network with any kind of information or
archives –being/or not a service provider- is responsible of the licit precedence of the
services or products offered.
3.4.4 Specific Cases. Underage and legally incapacitated persons.

Normatively, the LSSI-CE establishes that, in case of accessible pages focused for
underage people, they do not have to integrate contents that attempt against the
protection to the childhood and of youth.
There is software that filters and blocks content in order to control and to restrict the
contents or materials to which the underage people can access.
In any case, it is recommended to guide the children on how to surf by the web.
3.4.5 Measures to protect the rights of users and consumers

At the moment the measures used by the online platforms that operate as sites of
electronic commerce or that can be seen put under the law of consumers are:
The systems of electronic identification based on certificates of a recognized electronic

company/signature, are beginning to being used by the platforms of average electronic
commerce as a measure for guaranteeing the commercial transactions that consumers
make.
The implementation and use of this kind of systems allows so much to the consumer as to
the store of electronic commerce to guarantee:
• The identity of the person whom it buys and the one that sells.
• The integrity of the Lent’s consent.
• The “No repudiation” of the transaction.
By this form, any consuming user/who buys through Web site:
Instituto Nacional
de Tecnologías
de la Comunicación
• Has a total security of which the holder of the dominion name and of the store
online, is the company that really sells products or services.
• It can show that in a specific day, in a specific hour, has expressed its consent and
paid an amount guaranteed in exchange for the shipment of a product.
On the other hand, the seller has guaranteed that:
• The technological capacity to electronically accredit the date and hour of when the
consent has been lent by the user.
• The acceptance by the user/consumer of the general conditions exposed in the Web
site.
• In case that the user denies that he was he who lent the required consent, the user
will have to demonstrate it, being reflected therefore the “not repudiation” before
mentioned.
In this sense, is essential to consider that the total implantation of this kind of systems of
electronic identification will be applied totally at the moment in which the electronic DNI
reaches a global penetration on national and European citizens, moment at which the
development of the Society of the Information will be sustained in more solid principles
of security, identity and integrity.
In the same way, the great majority of the analyzed platforms that count with procedures
of electronic purchase, resorts to the installation in their servers of a protocol of safe
port, (Secure Socket Layer or SSL), that guarantees to all its users that the
communications, requests and information transmitted between the Web site and the
user, are not accessible by a non authorized third party.
As well, all the platforms that integrates electronic commerce have a Terminal Point of
Sale - TPV- of electronic payment provided by the financial entity, that puts under a
procedure of electronic payment a protocol of security, properly certified to guarantee
the establishment does not have access, neither conserves, nor deals with the data
credit cards for the users.
On the other hand, the clear evolution of the platforms in relation to the alternative
means of payment that totally guarantees the security of the transactions and that
anticipate insurances of responsibility for the case that the product are not received or
that the transaction undergoes some kind of error.
Instituto Nacional
de Tecnologías
de la Comunicación
It is possible to emphasize services like Paypal, pertaining to the group of companies of

Ebay Inc., that make available means of safe payment, based on directions of electronic
mail and credit cards, that guarantee to the users, an economic insurance for all and
each one of the transactions that carry out through this system.
In the same way, it supposes a guarantee for the consumer/user to have available the
general terms and conditions, where all the clauses relative to the guarantees are
arranged, as terms of return, prices, shipping, among others.
However, at the moment this guarantee is not totally implemented, as it has been
analyzed in the elaboration of this Study, by not having legal documents that fulfill a
strict form with the obligations arranged Law 1/2007, of 16 of November, the General
Law for the Defense of the Consumers and Users is approved and other complementary
laws.
Instituto Nacional
de Tecnologías
de la Comunicación
4 PROPOSALS AND RECOMMENDATIONS

ADDRESSED TO THE AGENTS PARTICIPATING IN
SOCIAL NETWORKS
Social networks and collaborative websites have revolutionized the Internet, providing the
users uncountable benefits. However, it becomes more and more necessary for their
agents to take into account certain aspects related to the security and the protection of the
users, in order to ensure that the use of this kind of services will benefit everybody.
Thus, in order to properly protect the final users, it is necessary for the main agents of the
value chain to consider the correct application of some recommendations addressed
respectively to social networks and collaborative platforms (respect of legal and
technological requirements), the ISP services and the internet access providers (respect
of technological requirements and of the security of the users), the producers and the
providers of informatic security services (respect of the necessary tools to ensure the
security of the users), the Administration and the Public Institutions (respect of the
legislative measures; respect of the awareness and the training of the users as well as the
agents of the market) and the users (correct use of such platforms).
In this respect, the following aspects will be emphasized:
• The knowledge and the assessment of the fulfillment level of the current Spanish
and European legislation by social networks and the collaborative platforms.
• The knowledge and the assessment of the security systems implemented by social
networks and similar platforms, to protect the users.
• The knowledge and the assessment of the sociological implications that social
networks and similar platforms are entailing in the habits of the users.
• The obtention of national and international statistics regarding the way underage
users are using social networks as well as their legal protection and the
technological situation in this respect.
Based on interviews conducted in the sector, as well as on round tables gathering

specialists in Technological Law and the Security of Information, and other ones
respectively bringing together underage and adult users, here are exposed the main
proposals and recommendations the agents of social networks should consider.
Instituto Nacional
de Tecnologías
de la Comunicación
4.1 Proposals and recommendations addressed to the Industry
4.1.1 Proposals and recommendations addressed to social networks and the

collaborative platforms
It has been repetitively demonstrated that social networks and platforms which generate
and maintain the highest degree of trust among their users are the ones that are
currently triumphing and are being considered as references, at the local and international
level.
The following proposals intend to provide social networks and platforms basic
recommendations that are essential for them: a) to comply with the European and national
legalizations, b) to ensure the protection of their users, c) to be aware of the legal and
technological implications conveyed by the execution of certain practices, d) to identify the
technological tools necessary for their services, e) to increase the level of awareness
related to the necessity to improve the security and the protection of the users.
The recommendations exposed hereafter had been deduced from the interviews and the
round tables previously mentioned and had been classified in two blocks or levels:
Technological and Security Recommendations
Transparency and easiness to access the information
Through the analysis and the revision of the platforms with the highest number of users
registered at the national and international level, it appears necessary to improve their
level of transparency and to facilitate the access to the Users Conditions of their
service.
In this respect, it is fundamental that these kinds of platforms display all the information
related to their services in a clear and understandable manner, in a way that the
language employed in their User Conditions and Privacy Policy will be perfectly
understood by any kind of users, letting him or her know what are his or her rights and
obligations while using their services.
In addition to this measure, it is essential that social networks spotlight in their pages a
specific section intended to inform the users, at any time of their navigation, about the
User Conditions and the implications of their actions while using the platforms.
In order to reach the highest level of efficiency, it is advised to create “microsites” 108
with direct access from the homepage of the social network, in which is displayed the
108
Small websites with specific contents that depend on another one.
Instituto Nacional
de Tecnologías
de la Comunicación
relevant information via FAQs sections or multimedia contents (videos, slide

presentations, etc...) that will allow the users to get to know in a simple and
understandable way what are the implications of their actions while using these platforms,
as well as their rights and obligations.
Finally, it has been noticed that every social networks and platforms reserve the right to
make changes of their User Conditions and Privacy Policy at any time without warning the
registered users or asking for their acceptance.
As for this matter, it is essential that social networks maintain their Privacy Policy and
User Conditions without any significant changes for their users, unless asking
previously for their agreement, enabling them to opt out easily and effectively.
Guaranteeing the users an absolute control over the processing of their data and the
information published on the web
Considering that social networks are free to operate from any place, it is recommended
that they comply with the European and the relevant national legalization, in order to
improve the well-being and the trust of their users and of the European authorities.
As indicated previously in the study, the platforms should guarantee to the users a
complete control over the information they publish about themselves on the
network, putting at their disposal the greatest number of technological tools, aimed at
ensuring this right in an automatic, simple and quick way.
Thus it is essential for collaborative platforms to implement, as many social networks

already did, tools that will allow:
• To exercise automatically the rights to access, rectify, cancel and oppose personal
data, published in one’s profile or in the one of another user of the network.
• To always inform explicitly on how and what for one’s personal data or information
published on the network will be used.
• To limit the possibility to tag the users on the network, in such way that any person
tagged with his or her name receives automatically a request to accept or refuse it,
preventing in the last case to publish and process the unauthorized data.
• This measure should be associated with a tool that will allow users to withdraw any
content that displays any personal data or information.
Instituto Nacional
de Tecnologías
de la Comunicación
• That the implemented flagging systems allow the users to opt out and block the
access to the denounced contents. This process should be completely automatic
and of immediate application.
• To configure by default the top-level privacy of the user’s profile, letting him or her
keep it as it is, considering his or her preference.
In order to avoid the processing of non-authorized data by searching engines, the

platforms should include in their HTML code some consistent changes to prevent the
searching engines to index the users profiles, unless authorized by the user him or
herself. This will guarantee a better control of the information published on the web,
avoiding it to be accessible by anyone that is browsing on the Internet.
At last, and with the objective to control the published contents and their ownership, the
platforms should consider protecting the rights of intellectual and industrial property when
it comes to contents published by third parties on the network. In this respect, it is highly
recommended for social networks and platforms to:
• To have flagging system that will allow the users to denounce the existence of
contents protected by the right to authorship, that have been published without the
consent of his or her author.
• To have the staff or some automatic systems that will effectively prove that the
contents are subject to intellectual rights (such as DRM or metadata in their own
contents).
• To inform the users of the nature of the rights to authorship and the importance to
respect them for the correct use of the service, through general conditions of
registration, FAQs, automatic warnings sent before the contents that might be
subject to intellectual property rights are being published,
Guaranteeing the technological security of the platform
The persons in charge of collaborative platforms should be aware that their services are
mainly based on the sharing of data that might be personal. They should protect their
networks against potential attacks.
It is fundamental they choose a reliable Internet Service Provider (ISP) 109 , that will ensure
the highest level of security. The ISP should guarantee at least the following aspects:
109
The services provided by the ISP should be secured by back-up systems, reliable server, secure accesses,
etc...
Instituto Nacional
de Tecnologías
de la Comunicación
• That their DNS services 110 should be completely secure and should not
present any kind of vulnerability, since a failure of their security systems would
mean a potential threat for the platform.
If the DNS server is attacked it might redirect the users to a fake and undetectable
website, which would mean a serious risk.
• Employing for the servers and in their own application tools especially made to
detect, avoid and block phishing and pharming cases, warning the users of the
security and trust levels of each communications received through the platform.
• Employing tools to avoid spamming. As indicated in the study the spam have
been exponentially used within social networks, because of the potential viral effect
they are conveying. It is necessary that the persons in charge of the platforms take
measures within their scope of action to reduce the number of undesired emails.
• Because the legislation, in some States, seeks to limit the access of social network
to underage users, it is recommended to implement technological measures to
verify the age of the users, such as: the electronic signature or applications that
will detect the websites most visited by the potential user and thus determine
approximately his or her age.
• To have tools that will prevent cases of identity stealing, allowing the legitimate
user to get back his or her access and block the other user.
• To have systems that will let the user know the level of security of the password
he or she had chosen when registering, indicating them as well what they should
do to increase this level.
It is also recommended to employ unique systems to identify the users, independent

from the service they want to access. This way the security efforts would only have
to focus on the identification system.
• Employing systems to encrypt the content of the platform, so that the

information shown on the website for each user will be inaccessible by a third party.
It is recommended to implement a secure connection through Security Socket Layer
110
The IP address is formed by a succession of numbers between 0 and 255 divided in four groups and
separated by dots, which identify a computer connected to the Internet. This system is of course not used for
browsing because of the difficulty it would mean to remember these numbers by heart. The DNS (Domain
Name System) translates these numbers in web addresses, as we use them in our browser, that are easy to
recognize and remember.
Instituto Nacional
de Tecnologías
de la Comunicación
(SSL), that allow the user to detect via the padlock of his browser or the “https” of
the address, that he or she is under encrypted connection.
• Employing technological tools that will prevent any user from downloading
any information published by another profile, this being independent of the kind
of information published on the network. It is recommended to limit the automatic
download of personal information, such as photographs or videos on the
users´profiles. Otherwise, massive downloads would be possible, with the potential
creation of independent database, which might have serious consequences.
However, it is recommended not to completely prevent this possibility but in that

case to ask the user if he or she allows his or her contents to be downloaded by third
parties.
• It is recommended that social networks and collaborative platforms that allow and
encourage the systems of nicknames allow at the same time to create real
“digital identity” from them.
Recommendations for the training and the awareness of the users regarding their
security. The role of social networks
It is fundamental that social networks encourage the users to know more about their own
security while using their services.
These ones are based on the sharing of personal information. It is therefore essential for
the users to rely on specific recommendations on their security and to be sure that these
services are completely secure.
In this respect, social networks and the collaborative platforms should encourage the
awareness and the training of their users when it comes to the protection of their privacy,
their intimacy and the protection of their personal data, the protection of intellectual and
industrial property, and, in a specific way, the protection of underage users. Thus, it is
particularly relevant to follow the following proposals:
• Development of contents informing the users about the processing of their

personal data, the advertisement systems used in the platform, the potential threats
they might face while using this id of online services, and the implications the
publication of contents in the social network might represent.
• Displaying information related to the security on the platform and the measures
the users might take in case of infringement of their rights.
Instituto Nacional
de Tecnologías
de la Comunicación
• In this respect, it is recommended for social networks and the collaborative platforms
to:
o Realize training programs in which the most frequent conflicts while using
the platform are being studied. It is recommended to resort to online videos
and graphical materials for the users to understand easily the ideas
conveyed by them.
o Reach agreement with the relevant national and international

authorities to encourage the training and the awareness of the users
when it comes to the security on the Internet.
• Taking into account that the majority of the users are underage, it turns out to be
fundamental that social networks and the collaborative platforms together with the
public authorities and the associations and organizations dealing with the
protection of minors, carry out initiatives encouraging the training of underage
users as well as their guardians regarding the security of users, investigating
the possible existing technologies to identify the age of the users while using the
service.
• As indicated by some providers, it might be recommended to carry out

volunteering programs inside the company in order to collaborate with
schools and training centers to spread the importance of the security, as well
as to inform the users on the main recommendations to take into account while
using the services.
4.1.2 Proposals and recommendations addressed to the manufacturers and the

providers of computer security
The role played by computer security providers and manufacturers is essential when it
comes to the protection of the users, since they are providing technological tools able to
avoid, or to reduce in some cases, the unfavorable situations that might derive from the
use of these platforms: online fraud, phishing, pharming, identity stealing, spamming and
diffusion of inappropriate contents.
In this respect, the manufacturers and the providers of security should take into account
two key aspects to reach the maximum level of security:
• Online fraud prevention. It is essential to adopt a proactive position in this respect

by developing software able to guarantee the security of the users of the platform.
This effort should not only focus on social networks, but also be extended to all the
agent taking part in the process, to reduce the number of security holes.
Instituto Nacional
de Tecnologías
de la Comunicación
• Investigation and developing technological security. It is essential to carry out a

constant investigation activity when it comes to online security, developing new tools
able to prevent or control situations of risks.
It is also essential that the manufacturers of security solutions and services encourage in
their sector the following aspects:
• That the marketed applications implemented in social networks have been

developed, revised and evaluated in accordance with the quality, security and
privacy standards that guarantee their use is respectful and secure towards the
users´ rights. Their proper functioning should also be reviewed.
• The companies dedicated to security should encourage the interoperability of

their security systems, promoting the implementation of standard protocols and
systems in social networks that will guarantee the compliance of pre-established
codes of conduct.
In this respect, it is recommended to collaborate directly with the Security Forces

of the State in the investigation of new situations of risks for the users, in order
to develop applications able to detect, act and counteract any unfavorable situations
for the users of the platform.
• It is recommended to the manufacturers and the providers of computer security to be

proactive when detecting the malicious programming codes that allow security
holes in the platform, as well as when elaborating Black Lists, in which will be
included the domain names that are presenting unauthorized contents, or that do
nott abide by the security criteria previously mentioned.
• It is recommended for the manufacturers to develop security patches and

updates to guarantee that the persons in charge of the platform as well as the users
are using entirely updated and secure applications.
• In this respect, it is recommended for these manufacturers to develop applications

that comply with international standards.
• It is recommended to develop remote applications that allow the guardian to

have the complete control of the contents and the operations realized by
underage users on the Internet.
It is recommended to develop applications that will allow the guardians/the parents

to: manage and/or monitor the contact lists of the underage users when it comes to
instant messaging services, blogs, social networks and/or similar services; to know
Instituto Nacional
de Tecnologías
de la Comunicación
the websites the minor is visiting or tries to visit; to limit the access of inappropriate
websites for underage users; to obtain information related to the activities of the
minor on the network and to allow different levels of supervision depending on the
age of the minors 111 .
Through this kind of application and the promotion realized by the manufacturers
and the platforms, an effective result might be reached regarding the control of
underage people on the internet, as well as their security regarding the dangers of
the Internet.
• To include in the technical descriptions of the software that process personal

data, the technical description of the basic, medium and high security level
mentioned by the LOPD (Legislation on the personal data protection).
• It is also recommended for the manufacturers of security software together with the
relevant public administration to encourage the development of tools dedicated to
reduce the reception of spam through social networks and similar platforms.
In this respect, it is necessary to take into account that social networks are turning to
become big sources of information from which might be generated commercial
databases with high level of virality.
4.1.3 Proposals and recommendations addressed to the Internet Services

Providers (ISP)
The ISP are hosting social networks in their servers and are providing connectivity to
them. In this respect, it is recommended to:
• Create reliable and secure communication platforms with the Security Forces
of the State, the Attorney General and the Judicial Authorities in order to save
time in the emission and the reception of any notifications from these agents.
• Give entire support to the Security Forces of the State when reclamation is
made.
• To inform the users and the direct clients on the security measures
implemented for the service they are using. Thus it is fundamental that they
guarantee the integrity of the databases as well as the security of the DNS servers in
order to reduce or prevent phishing or pharming cases.
111
The system developed by Microsoft Inc allows the guardians/the parents to know, authorize and limit the
access to webpages and to specified contacts through social networks, instant messaging systems or other
online services. For more information, visit the website “Windows Live: Familial security”.
Instituto Nacional
de Tecnologías
de la Comunicación
• To immediately attend blocking complaints when the sender is clearly identify,

taking into accounts the kind of infringement. To immediately inform the Security
Forces of the State
4.2 Proposals and recommendations addressed to the Administrations and

Public Institutions
The Administration and the Public Institutions, since they guarantee the rights of the
people and thus of the million Internet users, should encourage the following proposals
and recommendations regarding the normative, technological and security aspects as well
as the awareness and the training of the users
4.2.1 From a normative point of view

The consulted experts all agreed on the fact that any norm, which regulates the
technological aspects of the Information Society, should follow the “technological
neutrality” rule, so that the regulated aspects will cover any particular situations, without
depending on the technological characteristics they might involve.
They also underlined the need to align the normative requirements of the digital world with
the physical one, so that the conditions for the provision of digital services will not be more
burdensome than the ones in the real world.
However, very few considered that the legislation should be completely reviewed but they
asked for a better interpretation of this one.
All of them agree on the following aspects:
Protection of Personal Data, Intimacy, Honor and Image
The norm related to the protection of personal data, intimacy, honor and image in Spain is
very much advanced compared to the one existing in other States of the Union. However,
it is recommended:
• The relevant authorities should promote the elaboration of studies,

recommendations and rulings that will periodically analyze the most used Internet
services, so that the analysis of the Information Society will be constantly updated.
Thanks to theses studies, the Administration and the Public Institutions should
propose recommendations to the providers of theses services in order to improve
their quality.
Instituto Nacional
de Tecnologías
de la Comunicación
• The international community, or at least the European Union, should

encourage the respect of basic norms; independent from the place the agents are
operating, so that the users might rely on a global legal security.
• The sanctions towards the illicit use of information should be effectively

executed.
• The international legislation concerning those matters should be harmonized,

so to correctly protect the users on the Internet
Intellectual Property
Through the revision of the main platforms that are operating in Spain, as well as through
the consultations realized on intellectual property and the Society of Information, it has
been detected that all the legal notices establish the compulsory cession of the intellectual
property rights to the platform.
Thus it is recommended for the normative authorities to:
• Encourage, or oblige, this kind of platforms to make public or al least to

emphasize that the contents published on their network will become their
property, before any users publish any content on this one.
• Social networks are turning to be platforms where the users can embed contents
published on other digital platforms (videos, photographs, etc.).
Thus the intellectual property rights should be extended to this kind of

conduct.
• It is recommended that the relevant authorities promote, from a normative

point of view, direct agreements between the musical and audiovisual industry
and the most important platforms of content diffusions, in order to determine
objective, controllable and quantifiable criteria to allow the verification and the
payment of the licenses of use related to the published contents.
• It is recommended to oblige the providers of Internet services to implement

simple, free and efficient systems to denounce the infringements of
intellectual property rights.
• The norm on intellectual property is based on the right to authorship and the
interdiction to use protected contents without authorization.
Instituto Nacional
de Tecnologías
de la Comunicación
It is recommended for the legislation on intellectual property to be submitted

to a serious adaptation, based on the maximum permissiveness possible.
However, a fair remuneration should be guaranteed to the owners of the

intellectual rights, so that they will be compensated for the efforts involved in the
creation of their work.
Consumers and Users
• It is recommended that the legislator define clearly the relevant authority that
will attend the complaints of the consumers and the users, when it comes to the
use of this kind of platform and more generally to the use of the Internet.
The main problem for the users when they want to complain about commercial
transactions realized on the Internet, is that the cost to make a complaint, as well as
the time to solve it, are very high. In addition, the quantity of money implied is
generally very low. So it does not encourage the users to file complaints.
It is recommended for the public authorities, together with social networks to create
a new organism able to offer the users valid and cost free solutions in those matters.
• When it comes to social networks or platforms operating for Spain but from a
different location, it is highly recommended to implement efficient mechanisms,
from a temporal and economical point of view, regarding the possibility to block the
access to the online platform, when it has been clearly proven that the published
contents, the commercial proceedings or the General User Conditions are infringing
the applicable law, provoking a serious damage to the users.
• It is recommended to work on the harmonization of the rights of the consumers

and the users at the international level, so that any user or consumer will know
what are the minimum conditions required to run any platform and will be able to
denounce any situation that will break his/her basic rights, without depending on the
place he or she is, or the platform where she or he realized the transaction.
This implies to create uniform rules, that will regulate the e-business at the
international level, and that will make available a package of global and general
conduct. Thus it is recommended to adjust the International Private Law to the new
reality of the Internet, so it will be easier to determine the applicable legislation and
the competent organ to solve litigious cases.
Instituto Nacional
de Tecnologías
de la Comunicación
4.2.2 From an executive and administrative point of view

The following recommendations are addressed to the Public Administration with the
objective to guide the implementation of supportive, promotional and performing
measures in terms of security of the services provided by the Information Society:
• Specific training in terms of Technological Law directed to judges,

magistrates, forensics, district attorneys and judicial secretaries and any other
member of the Public Administration that might take part in the cases related to the
services of the Information Society, allowing them to know sufficiently how these
services are working and what are their main characteristics and problematic, so
they can determine in a clear and adjusted manner what are their legal implications.
So it is necessary for the Center of Juridical Studies and the related professional
training programs to include a specific training on Technological Law.
• It is necessary to equip the technological squads of the Security Forces,

belonging to the State, the autonomous communities or the International community,
with technological tools that will allow them to investigate, to maintain the
chain of custody for electronic evidence and to block situations that will be
susceptible to cause a damage to the users of social networks and collaborative
platforms.
• Development and articulation of fast and free judicial proceedings so that the
users will be better protected.
4.2.3 From an educational and informative point of view

Each and every aspect related to the Information Society and the security requires a
serious effort of awareness and training from the implicated private entities, as well as
from the Public Administrations, since it is by working together that the most adequate
results will be obtained.
Thus it is recommended for the Public Administrations to:
• Realize awareness campaigns on the risks to publish personal data on social

networks, which would be supported by all the agents of the value chain.
• To organize training days and outreach programs where themes related to the
security on the web will be addressed from a practical, technological, juridical and
sociological point of views.
• To include in the educational system classes on the security on the web and the
protection of personal data when using social networks.
Instituto Nacional
de Tecnologías
de la Comunicación
• To organize awareness and educational campaigns through the Web 2.0, thus
guaranteeing a better circulation and effectiveness.
4.3 Proposals and recommendations addressed to the users and the

associations
After specified is a series of recommendations addressed to the users of social networks

and collaborative platforms, which have the objective to inform them upon the benefits
these kinds of services might bring but also the damageable -but easily avoidable-
situations they might be confronted to while using them.
4.3.1 Protection of personal data, honor, intimacy and personal image

• All users should take into account that they have the complete control over the
information they want to publish on the network and that they are responsible if the
excessive publication of personal data put at risk their intimacy.
Thus it is recommended not to publish in personal profiles intimate information

related to ones personal and family life that might be seen by everybody on the
network.
On the other hand, the users should be aware of the implications, at the professional
level, their “trails” might have, since many companies are currently using these
networks to identify potential candidates or to study the public profiles of pre
selected ones.
However, taking into account that the users are free to publish any information they
want regarding their private lives, it is highly recommended for this publication to be
controlled, blocked or erased.
• It is recommended for the users to use nicknames when they browse on the
Internet, so they will have at their disposal a real “digital identity” that will not
threaten their personal and professional life. Only close contacts will know who is
behind the nickname.
• It is recommended for the users to be specially cautious 112 when publishing

audiovisual or graphical contents on their profile, given that they might put at risk the
privacy and the intimacy of other people from their circle.
When they publish that kind of contents, the users should warn the third parties that
are appearing on these contents and ask for their authorization.
112
This type of platforms bases their service on actualización constant of the profiles of users, More
information where avaible at chapter 3 of this document.
Instituto Nacional
de Tecnologías
de la Comunicación
4.3.2 Intellectual property

• In case of violation of the intellectual property right, it is recommended to follow
these steps:
o To contact immediately the social network, denouncing the non-authorized

use of the content, proving the authorship and request expressively to
withdraw it. It is recommended to use the proper flagging systems put at the
disposal of the users by social networks.
o In case the content is not withdrawn as requested, it is advised to initiate

relevant legal actions before national courts or tribunals.
• As for the use of a third party contents, it is recommended to only use and
publish the ones respecting intellectual property rights. Otherwise the user
would commit a tort covered by national tribunals.
4.3.3 Technology and security

• It is recommended for the users to use different usernames and passwords to
access the distinctive social networks they are member of. This measure will higher
the level of security of their profile, since the potential attackers would have to break
more than one security system.
• It is recommended to use passwords with more than 8 characters,

alphanumeric and with capital letters. This kind of password is certified with the
highest level of security, guaranteeing the integrity of the published information.
• It is recommended for the users to install and update antivirus software, to

guarantee that no spyware or harmful software might put at risk their computer and
the information saved in it.
4.3.4 Protection of underage users

While conducting the interviews and round tables, the situation of underage users of
social networks has been specially emphasized. The following proposals are addressed to
them as well as their guardians:
• Personal data should not be excessively disclosed. Some persons might take
advantage of these data to access to specific groups or simply to collect profiles.
Personal data should never be given to strangers. In case of doubt, it is better to
ask the parents or the guardians.
• The information concerning the webpage should be read entirely. There could
be found who are the owners of the website and what for the data will be used.
Instituto Nacional
de Tecnologías
de la Comunicación
• If the user is under 14 years old, the consent of the parents or the guardians is
required. In those cases, each time the social network asks for personal data, the
guardians should give their authorization.
• The usernames and the passwords should not be communicated to anyone, even to
friends or classmates. These data are private.
• The guardians or the parents should be consulted in case of doubts while

using social networks. If an undesired behavior is detected, then it should be
signaled to the guardians who will be able to denounce this behavior to the platform,
which, in this case, will take the necessary measures.
If this conduct is considered as criminal, it should be signaled to the Security Forces

of the States that have specific squads for this kind of situation.
As for the guardians and the parents, it is recommended:
• That the computer should be in a common area of the house, above all when
minors are using the Internet. Otherwise, it is recommended to monitor the use of
the Internet by the minors 113 .
• “Internet rules” should be established at home. When the minors begin to use
the Internet by themselves, the websites they are visiting as well as the hours of the
day they are spending on the web should be controlled.
• The parents should know how the platforms are working and the potential danger
they are representing as well as their benefits. This way, the parents will be aware of
the potential legal and technological implications regarding their use, and they will be
able to teach better how to use them.
• To activate the parental control and other tools controlling the platform as well as
configuring the e-mail of the guardians/the parents as a secondary mail. This way,
the guardians/the parents will receive all the messages coming from the platform
and will be able to filter them. They will be aware of the activities of their children on
the network and they will be able to control which groups they belong to.
• To make sure the age-control systems are effectively working. To make sure
the websites visited by the minors have implemented systems able to detect the age
of the user, and have previously announced the kind of content they might encounter
while visiting it.
113
For example like the Microsoft tool Windows Live Parental Control
Instituto Nacional
de Tecnologías
de la Comunicación
• To make sure the content-blocking systems are implemented. These ones

prevent the access to contents understated to minors, either they access them via
computer or from mobile phones. Thanks to these tools, the adult-adapted or
undefined contents will be blocked.
• To help the minors to be aware of the dangers these platforms might

represent. The education is crucial. It is necessary to explain the minors how to use
these platforms in a secure way.
• To tell the minors to never meet with a person contacted online unless their
guardians/their parents accompany them.
• Make the minors aware of the risks conveyed by the publication of contents such as
videos and photos online, as well as of the use of web-cams. The minors have to be
taught how and when to use them.
• Control the minor’s profile. The information he or she might published should be
controlled. The Privacy Policy should be reviewed.
• Make sure that the minors only access pages recommended for their age. The
average age of the platform users should be aligned with the one of the minor, so
that the risks Hill be reduced. In case the parents cannot find the average age of the
users, they should ask directly the platform or forbid its access to the minor.
• Make sure that the minors do not use their full names. They will be less easily
identified. It is better for them to use nicknames while using the platforms.
Instituto Nacional
de Tecnologías
de la Comunicación
5 CONCLUSIONS
In Spain, the Internet becomes more and more a place for a new kind of social relations
based on the growing participation and interaction of the users. Social networks and the
collaborative websites are one of the most important means to contact other users on the
Internet, to maintain a new kind of relationships and to access to common contents.
These platforms are growing essentially thanks to viral marketing, which had allowed their
quick expansion. The last international statistics (from the Universal McCann Study of
March 2008: “Power to the people social media. Wave 3”) estimated the number of social
network users to be 272 million, around 58% of the total amount of Internet users
worldwide, which represents an increase of 21% compared to the data released in June
2007.
In Spain 114 , as underlined in the Universal McCann Study, 44.6% of the Internet users are
using these services to be connected with their friends and close family, or to look for
persons they lost contact with. Applying this percentage to the data registered by the
Wave XX from Red.es, which highlighted that “between January and March 2008, around
17.6 million of people have used the Internet the month before”, it is estimated that 7.85
million regular users -above 15 years old and that had Internet connection during the last
month- are using social networks.
However, the growth and the notoriety of these social spaces are not free from potential
risks or ill-intentioned attacks. It is partly due to the fact that the use of these networks is
based on the publication of users’ personal data, which might generate situations that
threaten and violate the fundamental rights of not only the users. but also third parties.
For example, the uncontrolled publication of information by a user might violate, among
others, the rights protecting the honor, intimacy, image and personal data. It has to be
taken into account that, in many cases, these violations are due to a lack of information
and training of the user, who is making a wrong configuration of the privacy settings of his
or her profile.
The risks to violate these rights are increasing when the published information does not
concern the user him/herself but third parties. And it reaches its maximum when the user
of social networks is underage, since it must be added to the above-mentioned risks the
114
Even if the sources of information are diverse, they all agreed that, for 2008, the number of Internet
Spanish users who are regularly using social networks is around 40 to 50%. It was, for example, 50%
according to Zed Digital (The Phenomenon of social networks. Perception, uses ad advertisment. November
2008) or 45% according to The Cocktail Analysis (Observatory for the assessment of social networks. Online
communication tools: Social networks. November 2008).
Instituto Nacional
de Tecnologías
de la Comunicación
ones of accessing inappropriate contents and the ones of having contacts with potential
ill-intentioned adults.
Social networks are not strictly subject to geographic location to provide their services.
However, it must be taken into account that, in Spain, a specific legislation is in force to
treat all the aspects related to the providers of services for the Information Society 115 .
On the one hand, the European Directive 95/46/CE, whose application includes these
activities, and on the other hand, the Law 34/2002, related to the Services of the
Information Society and the E-Business, in its article 5, both regulate the concrete aspects
that apply to the “Providers established in a State that does not belong to the European
Union or the Economic European Area”. If they “offer their services in the Spanish
territory, they will be subject to the obligations stipulated by this Law, unless these ones
go against what has been agreed in international treaties or conventions, applicable in
those cases”.
In any case, it is important to underline that the owners of social networks should improve:
From a juridical point of view
• The conditions of use that are difficult to find on the website.
• They are confusing and badly written.
• They are difficult to understand by any user that does not have technological or
juridical knowledge.
• The technological security systems of the platform are not sufficiently respected
From a technological point of view
The interviewed platforms indicated they had implemented different security measures in
collaboration with the ISP (Internet Service Providers), with the purpose of reducing the
number of possibilities for the platform and for their users to suffer from phishing or
pharming, as well as of reducing the possibilities to steal identities.
Furthermore, it has been noticed that the most extended manner to guarantee the
protection of the users is the flagging system (internal denunciation). Social networks all
agreed that the collaboration of the users is a key aspect to provide safe services.
115
According to the definition from the First Additional Provision to the Law 34/2002, related to the Services of
the Information Society and the E-Business, it means “physical or juridical person, that offers a service of the
society of information”.
Instituto Nacional
de Tecnologías
de la Comunicación
However, in spite of the implemented measures, social networks still have to improve the
following aspects:
• Training of the users on the different settings aspects of their profile and on the
benefits of an adequate publication of personal data.
• The settings by default should be configured to the highest level of privacy (it is
generally configured to allow the maximum exposure of the profile).
• Controlling the indexing and the storage of the profiles by the searching engines.
• The networks have not implemented systems to identify the age of the users, in spite
of the different projects that already exist with this objective 116 .
• Establish remote systems to identify the users through electronic signature. Systems
like the digital ID allow secure electronic transactions and guarantee the real identity
of the user.
116
For example the initiative proposed by Association for the protection of minors Protect them! in their web
micueva.com where the users are individually contacted when they register so that their age will be verified.
Instituto Nacional
de Tecnologías
de la Comunicación
ANNEX I
I List of Participants
This study has been developed with the collaboration of representatives from social
networks, as well as with professionals related to the protection of the rights of the users
or related to the field Technological Law. It benefited from their knowledge and experience
in the field of information security, privacy on the Internet and protection of personal data.
From INTECO and AEDO, we would like to thank them for their collaboration while
realizing the interviews and the round tables.
• Abraham Pasamar. Technological Expert at Indice, Digital Investigation.
• Alexandra Juanas Castañada, Lawyer at Castañada & Castañada Abogados,

(legal advisers of the social network Wamba).
• Alonso Hurtado Bueno, Lawyer at X-NOVO Legal & Web Solutions, S.L.
• Álvaro Cuesta. Director of X-NOVO Legal & Web Solution, S.L.
• Blanca E. Sánchez Rabanal. Technical expert at the Observatory of the Security

of the Information of the INTECO.
• Bárbara Navarro. Responsible for Institutional Relationship at Google Spain

(providers of the platforms OpenSocial, Orkut and YouTube).
• Bárbara Olagaray. Legal responsible for Center and South Europa at Microsoft
España (contact in Spain for social networks MSN Live Spaces and Facebook).
• Cesar Iglesias. Security consultant and LOPD Lawyer at Díaz-Bastien & Truan.
• David Puello. General Director and Founder of the social network Votamicuerpo-
com.
• Enrique Dans. Professor of Technological Information at Instituto de Empresa.
• Fernando Fernández. Inspector of la Brigada de Investigación Tecnológica de la

Policía Nacional
• Fernando Ujaldón. Responsible for Communication for the social network

11870.com
Instituto Nacional
de Tecnologías
de la Comunicación
• Francesco Pla. Responsible for Security at Vesne, S.L. (company dedicatd to the
development of social networks, such as Moterus).
• Iban Diez López. Lawyer at Gómez Acebo & Pombo (Legal advisers of the social
network Tuenti).
• Icaro Moyano. Responsible for Communication for the social network Tuenti.
• Iván García Crespo. Technical expert at The Observatory of the Security of the
Information of the INTECO.
• Ignacio Parada. Responsible for the Security of Information for the social network
Vi.vu.
• Jaime Esteban. Product Manager de Microsoft Ibérica (contacto en España de las

redes sociales MSN Live Spaces).
• Javier Cremades. President of Cremades & Calvo Sotelo.
• Javier García. Adviser of the Technological Cabinet of the Defenser del Menor de
la Communidad de Madrid.
• Joaquin Muñoz. Partern at Abalex Abogados.
• Juan José Portal Svensson. Manager of the Security of Information at Forbes

Sinclair, S.L. (International adviser for security of information and instructors at
British Standard Institute).
• Juan Luis Alonso. Responsible for Security and Contents at Advernet, S.L.
(Providers of Dalealplay.com that belongs to the Vocento Group)
• Juan Salom. Commanding officer of Brigada de Delitos Telemáticos de la Unidad

Central Operative de la Guardia Civil.
• Luis Albaladejo Ufate. Consultant for the Security of Information at Forbes Sinclair,
S.L.
• Luis Cisneros. Lawyer at X-NOVO Web and Legal Solutions, S.L.
• Luis Miguel García. Security responsable and Platform Strategy Director Microsoft
Iberica.
Instituto Nacional
de Tecnologías
de la Comunicación
• Manuel Vázquez. Chief Captain of the Brigada de Investigación Tecnológica de

la Policía Nacional.
• Maria González Torres. Lawyer at Gómez Acebo & Pombo.
• Maria González. Lawyer at Google España (provider for the platforms Opensocial,
Orkut and YouTube).
• Michael Hall. Founder, Partner and auditor in Security of information, CISSP,

Forbes Sinclair, S.L.
• Miguel Ángel Diez Ferreira. Managing Director of the social network

Redkaraoke.com.
• Miguel Pérez Subías. President of the Asociación de Usuarios de Internet.
• Mikel Lertzog. General Directo at Hi-Media España (Responsible for the social
network Fotolog España).
• Orial Solé. Founder of the social network Patatabrava.com.
• Pablo Fernández. Partner of Abanlex Abogados.
• Pablo Pérez San-José. Manager of Observatorio de la Seguridad de la

Información de INTECO (coordinator and director of the study).
• Pedro Escribano Testaut. Judge at the Gabinete Técnico de la Sala III del
Tribunal Supremo.
• Pedro Jareño. Responsible for Marketing and Communication of the social network
Minube.com
• Rodrigo Méndez Solís. Legal Technology Advisor at X-NOVO Web and Legal
Solutions, S.L.
• Sergio Hernando. Consultant and Auditor for the Security of Information and the
Encrytpation of Departamento de Seguridad BBVA.
• Sylvia Alonso Salterain. Partner at Cremades & Calvo Sotelo.
• Tomás F. Serna. Lawyer. Specialized in Data Protection and Security of Information

at Tomás F. Serna Abogado.
Instituto Nacional
de Tecnologías
de la Comunicación
II Analyzed Social Networks
The following table presents the list of social networks and collaborative webs that had
been analyzed for the elaboration of the study.
Name Objective Number of Users Registration

Share and recommand other
11870.com websites 12269 +14 years old
Platform to express and plan ideas
43 Things and obtain collaborations 1007433 Open
Share knowledge related to
Advogato computers 11000 Open
ASmallWorld Rich Public 150000 Only with invitations
Badoo General 12500000 +18 years old
Bebo General 40000000 Open
BlackPlanet Afro-american Public 16000000 Open
Broadcaaster.com Share contents 25000000 Open
Buzznet Culture and popmusic 550000 Open
Capazoo General Not available Open
CarDomain Share knowledge related to cars 1600000 Open
Promote ecological and social
Care2 movements 8123058 Open
Classmates.com General 40000000 Open
Cyworld Afro-american Public 21200000 Open
Dalealplay.com Share multimedia contents Not available Open
Dandelife General Not available Open
Del.icio.us. Share weblinks Not available Open
DontStayIn Promote the culture club 330000 Open
Experience Project General Not available Open
Facebook General 150000000 +13 years old
FaceParty General 5900000 +16 years old
Flickr Share photographies 4000000 Open
Flixster Shar videos 36000000 Open
Fotki Share photographies 1000000 Open
Fotolog Blog of photographies 12695007 Open
Friendster General 75000000 Open
Frientes Reunited General 19000000 Open
Gaia Online Promote the anime community 9300000 Open
Gather Share multimedia contents 450000 Open
Geni.com Family and Genealogy 750000 Open
Promote contacts between Polish
Grono.net people 1350000 Open
GuildCafe Community of online players Not available Open
Hi5 General 50000000 Open
Hospitality Club Share accommodations 328629 Open
Promote contacts between Dutch
Hyves people 5000000 Open
Imeen Share multimedia contents 16000000 Open
Promote contacts between Finnish
IRC-Galleria people 400000 Open
Instituto Nacional
de Tecnologías
de la Comunicación
Promote contacts between

iWiW Hungarians 3100000 Only with invitations
Jaiku General Not available Open
Joga Bonito Share knowledge related to football Not available Open
Last.fm Share knowledge related to music 15000000 Open
LibraryThing literature 214425 Open
LinkedIn companies 16000000 Open
LiveJournal Share knowledge related to blogs 12900000 Open
LunarStorm Swedish people 1200000 Open
Meeting General 72000 Open
Meetup.com General 2000000 Open
Migente.com Promote contacts between Latinos 36000000 Open
MindViz General 145000 Open
Share experiences related to
Minube.com traveling 51353 Open
Mixi Japanese people 9830000 Only with invitations
MOG Share music Not available Open
Moterus.com motorcycles 4300 Open
MSN-Windows Live
Spaces Blog Hub 120000000 Open
Multiply General 7000000 Open
My Opera
Commjunity General 1001798 Open
My Church Christians 70306 Open
MySpace General 110000000 Open
My Yearbook General 950000 Open
Netblog General 28000000 Open
Nexopia Canadians 1158531 Open
Okcupid Search for personal contacts 800000 Open
Orkut General 67000000 Open
OUTeverywhere Gay community Not available Open
Passado General 4700000 Open
Passporststamp traveling 12000 Open
Pataabrava.com General 40000 Open
Piczo General 10000000 Open
Plaxo Obtain professional contacts 15000000 Open
Playahead General 530000 Open
Social network with geo-
Playtxt localization of the users 70000 Open
Pownce Share multimedia contents Not available Open
ProfileHeaven General 100000 Open
Evaluation of products and
RatetAll services Not available Open
RedKaraoke.com Social network for Online Karaoke 100000 +18 years old
Reunión.com General 28000000 Open
Ryzo companies 250000 Open
Instituto Nacional
de Tecnologías
de la Comunicación
Social network for American

Sconex Highscools 500000 Open
Searchles General Not available Open
Promote contacts between Licensed and
Sermo physicians and scientists 40000 Doctorate
Shelfari literature Not available Open
Skyrock Blog Blog Hub 3800000 Open
Soundpedia Share information on music 3500000 Open
Sportsvibe Encourage sportive activities 18000 Open
Squidoo General Not available Open
StudiVZ General 4000000 Open
Tagged.com General 30000000 Open
TakingItGlobal Promote social actions 145000 Open
The Student Center General 800000 Open
Threadless Share designs for shirts 364474 Open
TravBuddy.com traveling 750000 Open
Travellerspoint traveling 105000 Open
Tribe.net General 602876 Open
Tuenti General 2400000 +14 years old
Twitter General (microblogging) Not available Open
Have medical consultations and
Vi.vu share experiences 3000 Open
Votamicuerpo.com Contacts 300000 Open
Vox Blogs Not available Open
Wamba General 2511729 +14 years old
Wayn traveling 8000000 +18 years old
WebBiographies Promote Genealogy Not available Open
Woophy traveling 23000 Open
Xanga Blog Hub 40000000 Open
XING companies 4000000 Open
Yahoo! 360º General 4700000 +18 years old
YouTube Share multimedia contents 115000000 +18 years old
Instituto Nacional
de Tecnologías
de la Comunicación
INDEX OF GRAPHS
Graph 1: Percentage of Social Network Users in Spain. March 2008. ..............................33
Graph 2: Number of contacts by social network users in Spain. October 2008 ................37
Graph 3: Penetration of Online Social Networks by Age Group in Spain. July 2008 (%) ..42
Graph 4: Value chain of social networks ...........................................................................45
Graph 5: Evolution of the Traffic (million) ..........................................................................46
Graph 6: Geographical distribution of social networks in 2007 (%) ...................................47
Graph 7: Segmentation by age of social networks users in Spain (June 2008) ................48
Graph 8: Use of social networks in Spain by level of study (June 2008)...........................48
Graph 9: Penetration of different Social Networks in Spain (July 2008)............................49
Graph 10: Monetization of social networks and Web 2.0 (Sept 2008)...............................51
Graph 11: Earnings per day of the Facebook applications (in thousands dollars) ............53
Graph 12: Forecast sales of online B2B advertising, between 2007 and 2012 in million
U.S. dollars ........................................................................................................................54
Graph 13: Growth model of social Networks .....................................................................56
Graph 14: Uses of social networks by Spanish users (%). October 2008. ........................57
Graph 15: Privacy settings (October-December 2007)......................................................58
Instituto Nacional
de Tecnologías
de la Comunicación
INDEX OF TABLES
Table 1: Sampling by Autonomous Communities (%) .......................................................26
Table 2: Sampling by Socio-demographic Categories (%) ................................................27
Table 3: Social Networks ...................................................................................................32
Instituto Nacional
de Tecnologías
de la Comunicación
http://www.inteco.es http://www.agpd.es
http://observatorio.inteco.es

Study On The Privacy of Personal Data and On The Security of Information in Social Networks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Study On The Privacy of Personal Data and On The Security of Information in Social Networks

Uploaded by

Copyright:

Available Formats

Instituto Nacional

Study on the Privacy of Personal Data

INFORMATION SECURITY OBSERVATORY

EXECUTIVE SUMMARY .....................................................................................................7

I Situation: definition of a social network ....................................................................7

1 INTRODUCTION AND OBJECTIVES ........................................................................20

1.1 Presentation .......................................................................................................20

1.1.1 Spanish National Institute of Communication Technologies (INTECO) .........20

1.1.2 Spanish Data Protection Agency ...................................................................21

1.2 Contextualizing the study ...................................................................................22

1.3 Objectives of the Study. .....................................................................................23

1.4 Methodology ......................................................................................................24

1.4.1 Phase I. Data Collection and Fieldwork .........................................................24

1.4.2 Phase II. Information Analysis........................................................................28

1.4.3 Phase III. Recommendations and conclusions ..............................................29

1.5 Content Structure ...............................................................................................30

2 SITUATION: DEFINITION OF SOCIAL NETWORKS ................................................31

2.1 Characterizing Social Networks. ........................................................................31

2.1.1 Theoretical Basis............................................................................................31

2.1.2 Origin and evolution .......................................................................................31

2.1.3 Definitions ......................................................................................................33

2.1.4 Keys to success .............................................................................................35

2.2 Typology of social networks ...............................................................................37

2.2.1 Generalist and recreational social networks. .................................................38

2.2.2 Professional Social Networks.........................................................................40

2.3 Value chain and business models .....................................................................43

2.3.1 Value chain of social networks. ......................................................................43

2.3.2 Business models. ...........................................................................................45

2.4 Risks implied by the use of social networks .......................................................57

3 ANALYSIS OF THE MOST IMPORTANT ASPECTS AND SPECIFIC PROBLEMS OF

3.1.1 Definition of the right ......................................................................................62

3.1.2 Applicable Law ...............................................................................................65

3.1.4 Vulnerable Groups. Underage and legally incapacitated users. ....................70

3.2 Personal Data Protection ...................................................................................75

3.2.1 Definition of the right ......................................................................................75

3.2.2 Applicable law: regulation and its evolution ...................................................76

3.2.4 Vulnerable Groups. Underage and legally incapacitated persons. ................93

3.2.5 Measures taken to protect the personal data of users. ..................................95

3.3 Intellectual Property protection in social networks .............................................96

3.3.1 Definition of the right ......................................................................................97

3.3.2 Legal framework: regulations and its evolution. .............................................98

3.3.4 Groups specially protected. Underage and legally incapacitated persons...103

3.4 Protection of Users and Consumers ................................................................106

3.4.1 Definition of the right ....................................................................................107

3.4.2 Applicable Regulations: Regulation and its evolution ..................................107

3.4.3 Possible risk. ¿How do these rights could be affected?...............................110

3.4.4 Specific Cases. Underage and legally incapacitated persons. ....................112

3.4.5 Measures to protect the rights of users and consumers ..............................112

4 Proposals and recommendations addressed to the agents participating in social

4.1 Proposals and recommendations addressed to the Industry ...........................116

4.1.1 Proposals and recommendations addressed to social networks and the

4.1.2 Proposals and recommendations addressed to the manufacturers and the

4.1.3 Proposals and recommendations addressed to the Internet Services

4.2 Proposals and recommendations addressed to the Administrations and Public

4.2.1 From a normative point of view ....................................................................124

4.2.2 From an executive and administrative point of view ....................................127

4.2.3 From an educational and informative point of view ......................................127

4.3.2 Intellectual property ......................................................................................129

4.3.3 Technology and security ..............................................................................129

4.3.4 Protection of underage users .......................................................................129

INDEX OF TABLES .........................................................................................................142

I Situation: definition of a social network

II Analysis of the most relevant aspects and specific problems of social