Privacy Issues for Online Personal Photograph Collections

Technological developments now allow community groups, clubs, and even ordinary individuals to create their own, publicly accessible online digital multi-media collections. However, it is unclear as to whether the users of such collection are fully aware of the potential privacy implications of submitting their personal contents (e.g. photographs, video, etc.) to these digital collections. They may even hold misconceptions of the technological support for preserving their privacy. In this paper we present results from 18 auto-ethnographic investigations and 19 ethnographic observations and interviews into privacy issues that arise when people make their personal photo collections available online. The Adams’ privacy model is used to discuss the findings according to information sensitivity, information receiver, and information usage. Further issues of trust and ad hoc poorly supported protection strategies are also presented. Ultimately while photographic data is potentially highly sensitive, the privacy risks are often hidden and the protection mechanisms are limited.


Introduction
Online collection of multi-media content, such as digital libraries, can be both empowering and excluding. Increased information access has powerful social ramifications [2], [1] that are not always fully understood. Furthermore, increasing information access can often change social structures and organizational norms. It is therefore only reasonable to assume that personal digital collections would try to avoid these social consequences. However, the personal desire to share information and the need for privacy is a continual battle that personal resources are caught in the middle of. Information ownership is a complex field relating to copyrights, intellectual property rights, policy and legislative initiatives [7], [33]. The individuals' perception of information privacy and trust in online digital collections is often overshadowed by these issues. Yet it is the individuals' perceptions that guide how these resources will be used, misused or avoided. Understanding the end-users' perceptions of privacy and trust is vital as the role of digital resources in organizations and personal usage is changing. For instance, in the case of digital libraries, Holmstrom [23] highlights the importance of privacy in the changing role of such libraries and those that support them. It is argued that these resources are changing from assets with librarians as asset managers to those of resources with librarians as customer relationship managers. Holmstrom [23] argues that we have become too sensitive to privacy issues and that this has over-restricted digital library development. However, a clear guideline for digital library developers to support them in acceptable end-user digital library development is not given.
Photographs are increasingly being used as documents in personal online collections. The ability to personalize these resources is a strong motivation for users to develop and re-use them. But much of the enjoyment of photographs comes from sharing them (e.g., showing friends where you've been, marvelling over how quickly children have grown, and recording special moments for geographically dispersed loved ones). Digital resources have increased the ease with which we can share this information. But with sharing comes risks, and potential privacy invasion is a major source of worry for developers of the systems for management of online digital collections, as well as their end-users.
Personal photos pose special concerns regarding privacy, in that images may convey a more nuanced and layered impression of an individual than many common types of text / factual data (eg, location information as gathered from a GPS device, financial transaction data from commercial websites, etc.). Adams and Sasse [4] distinguish between the primary level of information that can be inferred from data-the core financial, medical, commercial, 'facts' conveyed by the data-and the secondary level of information that includes interpretive and qualitative inferences such as emotional state. Photos may reveal far more of the secondary information than the photo owner is comfortable revealing to others. Consider, for example, two types of location data about Chris, an 18 year old university student: time stamped GPS data gleaned from Chris's mobile, and a time stamped photo of Chris at a party. Both can be used to infer Chris's attendance at a given social function, but a photo will reveal far more of Chris's mood and activities. Users of social networking sites are keenly aware of the significance of personal photos in representing one's personal brand: photographs are carefully chosen to present the most attractive aspects of the individual (both in terms of physical appearance and personality). The secondary information inferred from a photo can either reinforce or undercut that personal identity [6]. This paper relates people's perceptions of their online personal photo collections to the Adams' privacy model [1], [3]. The model has been previously used for the development and review of privacy mechanisms in multi-media, mobile and ubiquitous environments [8], [24], [26] and online learning environments [34] but it has never been applied to the domain of digital collections. Because of the complexity of personal photo collection data the authors believe that this model would be a useful tool for analyzing user perceptions.
Research on online personal photo collection systems has concentrated on supporting individuals in organizing, searching, browsing, and annotating their collections. A common sense understanding of how and when people take photos is used to inform the design of novel interface features specific to personal photo collections. For example, the insights that photos are taken in a time-linear order and that people tend to take several snapshots of the same event or person in a brief period of time, have led to experimental systems using photo timestamps as a basis for browsing structures [22], or using time and image content to automatically cluster photos into 'events' [14]. The insight that an individual tends to take multiple photos of the same people and places over time can be exploited by using photo time and location information in previous, annotated photos to develop annotations for new, uncaptioned photos [30]. An investigation into how people manage collections of digital photos [36] confirms basic understandings of personal photo collection interactions, but this study was conducted during the early days of digital cameras. Further research is therefore needed to better understand other user behaviour, resulting from the use of more modern digital camera technology that could inform the design of improved tools for management of online photo collections.
Almost all existing systems primarily focus on the individual's use of a personal photo collection. Less is known about how people share photos, and how photo sharing can be incorporated into online personal photo collection systems. Earlier work on personal photography from a sociological or human-human interaction perspective (for example, [27]) has been conducted before the widespread adoption of digital cameras. This current work is one step towards examining the aspects of sharing of photos, primarily digital photos, as these behaviors may impact the design of

Background
For us to be private there must be a public environment. Privacy, and thus being private, can only be reviewed within that of public context [5], [21]. Public concern over photograph sharing and privacy issues dates back to the early days of modern photography, when George Eastman marketed the cheap, handheld camera. These cameras unleashed a horde of 'Kodakers' whose unrestrained photo-taking, editing, and sharing created a backlash of privacy rights legislation in, for example, New York [28]. The amateur photography enthusiasts, or 'camera fiends', provoked intense negative feelings in their unwilling subjects-and the poor and insignificant were frequently the target of 'those dreadful little boxes', as well as the rich and famous. Photos were traded, given away with cigarette packs, and sold in a variety of shops, often without the subjects' knowledge or consent [28]. Lurid speculation surrounded the motivations of the 'Collectors, cranks, dudes and theatrical people' [32] who purchased the photos-what unsavoury uses were they finding for these images? Modern 'Photoshopping' of images was prefigured by the discovery of techniques for altering film photos and negatives; LeGrange Brown, for example, caused a scandal in New York when he "put the heads of innocent women on the undraped bodies of other females" [39], to the consternation and embarrassment of 'reputable young women' and "numbers of gentlemen fearful that pictures of their female relatives may have been tampered with in this way" [13]. Photos could be mis-appropriated to serve as product endorsements, as Miss Abigail M. Roberson discovered when confronted with her own face on barrels of flour [35].
Current photographic digital collection systems support sharing and thus increase distribution through effective storage and retrieval mechanisms [15]. Privacy concerns, therefore, emerge again, as digital cameras allow ordinary people to duplicate and alter photographs in ways that previously were only possible for professional photographers. Recent computer privacy research links these socially dependent contextual issues (such as sharing) with technical and policy concerns [31]. However, defining and specifying systems from these socially and emotively reliant criteria are complicated.
Many discussions of privacy often reduce it to a simple binary private or not private distinction by defining privacy with regard to Personal Information. The problem with many definitions of Personal Information is that they concentrate on the data itself and its ability to personally identify someone rather than how it is perceived [4], [9], [33]. This approach can be too restrictive when applied to photographic data since many pictures identify someone and anonymizing them (for example, by pixilating peoples faces) often destroys the value and meaning of the image.
Both Goffman [21] and Giddens [19] highlight the importance of social roles and the duplicity of our actions. Privacy is closely interwoven with how others perceive us. We act not only as means to attain a purpose but also with the desire of creating the appropriate impression with others. Photographs can be an aid or an embarrassment in our social interactions since they give the impression of accuracy yet present a manipulated version of reality. We pose for photographs to give an impression. Pictures can show us in positive and negative lights with no basis in reality. Goffman [21] in particular emphasizes the different roles that we play in different situations and for different people. Understanding how we present ourselves is vital to maintaining an accurate appraisal of, and control of, our privacy.

Previous Photo Sharing Studies
The bulk of early research into personal photography behavior has focused on physical photos, as specifically on photo taking, photo annotation, and collection management (eg, [12]) rather than specifically on photo sharing. With physical photos, sharing is directly under the control of the photo owner: the photo, its negative, or a small number of copies are individually given or shown to other people, and the relative expense and difficulty of duplicating and distributing large copies reduces the risk of inadvertent sharing.
Recent studies of digital photo sharing behavior (and related privacy concerns) have primarily taken in depth looks at specific contexts for sharing, rather than viewing photo sharing in general. For example, studies have looked at collocated sharing of images on camera phones [37] and photos shared digitally via cameraphone [6], photo sharing via social network sites [10], and sharing through Flickr.com [29]. These papers give valuable insights into different aspects of privacy and photo sharing, but do not paint the full picture of sharing behaviors and the associated (and various) privacy aspects. This present paper investigates the full range of photo sharing and looks specifically at privacy. Furthermore, these studies are relatively small scale, involving 14 or fewer participants and data gathering through a single interview or focus group involvement for each participant. We develop our rich picture of photographic privacy issues from ethnographic data drawn from 37 individuals, over the spectrum of photo sharing (collocated and distant, digital and physical photos, across a variety of photo taking devices).

Information Control and Risks
The control and feedback approach has been a major perspective in privacy research. Bellotti [7] notes the importance of an individual's ability to retain privacy via access control and feedback. Bellotti and Sellen [8] previously noted that with careful privacy related design, users could increase control of personal data and thus privacy. The clear advantage of this approach is that it relates users' privacy rights to technical and interface design decisions. However, their findings do not convey the true complexity of privacy, especially with regard to users' constantly fluctuating ability to trade-off privacy against potential benefits. Although, they do note that to define privacy adequately, it must be understood that it is an unstable phenomena that varies according to context, users' roles and societal / organizational norms, whilst privacy benefits can affect users' overall perceptions of a system.
The complexities of privacy issues are further complicated by Bellotti's [7] suggestion that privacy can be invaded without the user being aware of it. This brings to the forefront the additional question of whether it is what is known about a person that is invasive, or who knows it. Thus the identity of the person receiving the data can be a deciding factor in whether someone will provide it or not [16]. Many privacy invaders, however, do not see themselves as such because they believe that valid reasons justify the privacy breach: for example, that there is a countervailing use to which the information can be put [25], or that their relationship with the person gives them the right to access the material (e.g., a parent looking through a child's schoolwork).
Understanding real world strategies for controlling our privacy can highlight how end-users misinterpret the degree of privacy afforded by a system [3]. Both Goffman [21] and Giddens [19] suggest that our behaviors are framed within each specific situation. Situations are defined by both the physical aspects of the place and the knowledge and expectations of others present there. We all assume that in many situations we know what acceptable and unacceptable behavior is (e.g., it is acceptable to clap at the end of a theatre performance but not at the end of a funeral service). However, these codes change within different cultures and cultures can vary between organizations, cities or countries. We rely on social cues, norms and pressure to provide feedback on what is acceptable and to enforce those behaviors (e.g., everyone stares at someone who claps at a funeral). Problems occur online because a person's actions and thus these cues are frequently hidden. In multimedia environments reciprocity is noted as an important phenomenon to support through privacy mechanisms [6]. In online personal collections this would mean that you not only know that someone has accessed your information, but that they know, you know they've accessed it.

Privacy Models
Palen and Dourish [31] base their privacy framework on identifying the boundary between privacy and publicity, either of which may be beneficial depending on the context. Four issues are identified as being important for designers: the social and organizational context, temporal factors from actions in that context, possible threats from information usage, and trade-offs made by the user. However, this framework misses the importance of fluctuating information sensitivity levels according to who is receiving and how they are using the information.
Another model that is more suited to dealing with privacy factors in multimedia information sharing context is what we will refer to here as the Adams' privacy model [1], [4]. The aim of this model is to help multimedia communication systems to "determine which information users regard as private, from whom, and in which context" [1]. Rather than dealing with privacy as a black/white (or binary yes/no) variable, the model attempts to define "privacy boundaries" which if breached will reduce the effectiveness of the system being used. Furthermore, what defines these boundaries is in fact the privacy "perception" of the users. According to Adams' model the User is anyone who has data transmitted about them either directly or indirectly. Direct information may for instance be a person's consumption habits or medical records, while indirect information might be their image or voice. In fact the user may not actually be actively using the system, and may be totally unaware that their data is being transmitted [1], [8].
As shown in Figure 1, Adams' model defines three main factors which interact with one another to create the users' overall perception of their privacy. These factors are defined as [1]: • Information Sensitivity: is the primary privacy factor which the other factors affect to determine the perceived sensitivity level. Information Sensitivity in a way defines the users' perceptions of the confidentiality of the information being transmitted. Also, users' judgment of the sensitivity levels of the information is not binary (private/not private), but multi-dimensional with varying degrees of sensitivity.
• Information Receiver: is the users' perception of the person who receives and/or manipulates their information. Although a range of factors would influence the users' assessment of the Information Receiver, the issue of trust seems to be the most important one in defining the users' perception of the Information Receiver.
• Information Usage: is the users' perception of how and for what purpose their information will be used at present as well as in the future. The potential importance that the users attribute to the perceived Information Usage is crucial to the users' estimation of privacy risk/benefit trade-offs.

User Study
As mentioned earlier, the purpose of our user study was to better understand why and how people share their personal photographs, so that this knowledge could be used for guiding the design of more effective systems for management of online personal photo collections. In the remainder of this paper we describe our study, identify its major findings, and relate these finding to the privacy factors of the Adams' model.

Data Collection
Data for this study was gathered through a project assigned to undergraduate students in a human-computer interaction course at the University of Waikato. The goal of the project was to design and prototype a shared, online photo collection management system. The students based their designs on ethnographic investigations into the photo taking and sharing habits of themselves and at least one friend. These investigations were summarized (a total over 150 pages) and these summaries are analyzed in this paper.

Study Participants
In total 18 students' project submissions have been included in this study. These students conducted 18 autoethnography (see the next Section) and 19 ethnographic observations and interviews of another person. Table 1 summarizes the gender and national origin of the students and the people interviewed by them. To preserve the anonymity of the students, each participant is referred to with a randomly assigned letter of the alphabet. Note that Participant G interviewed 2 people, rather than 1, and this resulted in a total of 19 ethnographic observations and interviews. Combining the 18 students and 19 others whom they interviewed and observed gave us 37 study participants in total (a summary of their demographic is shown at the bottom part of Table 1).

Methodology
The first task undertaken by students participating in this study was to perform a 'personal ethnography' on their own photo taking and sharing habits. In a personal ethnography or auto-ethnography [17]- [18], ethnographic techniques of observation and analysis are applied to one's own experiences. The challenge in this type of study is to view oneself objectively, to see one's own worldview as freshly as possible, and to then interpret the identified experiences in the light of applicable theory. The auto-ethnography is particularly valuable for novice ethnographers, as it encourages critical introspection and allows them to practice the technique before interacting with their informants [18].  The students then performed a similar ethnographic observation of another person's photo collection and sharing habits. They observed and interviewed the other person to create a description of how and when that person shared photos with others.
To guide the process of autho-ethnographic self observation and the ethnographic interview and observation of others, as part of this study we provided the students with a list of possible open-ended questions which they could use. Table 2 provides a summary of these questions.
We used grounded theory methods [20], [34], [38] to analyze the students' summaries of ethnographic observations and interviews; the students' ethnographic descriptions were aggregated and treated as raw data, analyzed by the researchers rather than directly by the students themselves. This distancing of the data gatherer from the data analysis allows us to partly finesse the difficulties in dealing with auto-ethnographic interpretation, as the autoethnographer in this work is not directly analyzing the data. Another common criticism of both auto-ethnography and ethnography is that the ethnographer may inadvertently bias the data by failing to record or perceive specific aspects of the activity under study. By including 18 students as data gatherers, we reduce the likelihood of blind spots remaining in the aggregated data. The relatively large number of observers (18) and observations (37, including both auto-ethnography and investigations of another individual's photo-related behaviours) lends confidence to our analysis and conclusions.
In the next section, we describe the findings of our analysis, and present evidence that photo sharing is a significant behavior associated with photo-taking and the development of a personal photo collection. We also argue that it is crucial for online photo collection systems to support users' sharing practices, while at the same time providing them with effective means of protecting the privacy of their photos. In particular, we focus on the privacy and trust issues elicited from these ethnographies.

Restrictions that you place on use of your photos:
Are there some photos that you are willing to allow people to view but not copy, or are you willing for people to make copies of all photos that you allow them to view?
Who you share given photos with: Do you keep some photos private? Are there some photos that you share only with friends or relatives? Or do you allow anyone to view all your photos?

What else:
What other factors can you think of that impact how you use and share photos? Showing-and sometimes showing off-our photos is an intrinsic part of photo-taking. While we enjoy privately perusing our own collections, we also like other people to view our efforts. Table 3 lists the photo sharing methods described in the auto-ethnographies and ethnographies. These sharing methods are classified according to whether the intention of the photo owner is that:

Photo Sharing Behaviour
• the sharing experience be mediated by the photo owner (that is, that the owner verbally or textually explains the photo), • the act of sharing involves giving the other person a copy of the photo (either physical or digital), • the photo be shared with members of the public at large (rather than controlling access, or having a known, small group share the photo).
We emphasize the word 'intention' above. As will be discussed in the next section, the assumptions that people make about a given sharing method may not always be borne out by practice.  Mediation involves explaining aspects of the photo that the photo owner feels are significant to 'understanding' the image. These aspects vary, and can include the event depicted, its date, the names of people depicted and their relationship to the photo-taker, photographic techniques used, and so forth. Mediation can occur verbally, or through text attached to or associated with the photo (for example, a file name, an MSN message, a caption on a webpage, a nearby paragraph in a blog). The explanations can be lengthy-an email describing its attached photo, or a minuteby-minute verbal explanation of the wedding album displayed on the coffee table-or as brief as a single word tag on an online photo site.
Textual annotations such as captions are primarily made when photos are shared, but not in face-to-face circumstances ("Normally I do not write any captions on the photos or in albums, this is because I know where I took them and what it is, and chances are that if someone else is looking at them, then I'll be there to explain who that person is or what the photo is of"; Participant P). But memories fade, and with them the nuances of the owner's understanding of the images ("'For any photos I take I barely ever write captions but now when I look back on the photos I took 5 years ago, I kind of wish I did", Participant Q; "As I have just looked through my photo collection I am aware that I cannot remember what is happening in many of the photos. I also have no idea when most of the photos were taken, I can only guess", Participant J). Asynchronous photo sharing, then, dramatically increases the likelihood that textual photo descriptions ('metadata') will be recorded for a photo.
Face-to-face sharing of photos usually involves allowing the other(s) to view the photos, but not providing copies. For much of the history of photography, giving a 'copy' of a photo involved creating a new print from the negative. During the first century or so of the history of personal photography few people had access to the expensive equipment required to create a credible copy from a print, so photo owners could give away a print and be confident that the image would not be further distributed. Similarly, alterations made to print images were so crude as to be easily detected. Digital photographs of course have no such limitations on the production and distribution of copies, or on the types of modifications that can be made to the images. As will be discussed in the next section, at times the assumptions made about copying and distribution of shared printed photos are applied to digital photos.
Control over who is allowed to view a photo is most easily achieved in face-to-face sharing. Note that sharing can be one-on-one, or to large groups (for example, presenting slideshows of party photos to friends and flatmates). Faceto-face sharing can be restricted by physical access to the environment in which the photo is displayed (e.g. the fridge bedecked with school photos is in the kitchen, or PC that displays photos as a screensaver is in the bedroom). Online 'environments' can feel as personal and comfortable as a physical environment, but this sense of control over Despite all these potential concerns that one must take into account, the sheer length of Table 3 demonstrates that people are generally enthusiastic sharers, and embrace every new technology that allows them to reproduce, distribute, and display their photos. Even Participant J, who doesn't own a camera and so rarely takes photos himself, has accumulated a 'quite large' photo collection by having friends and relatives give him copies of their photos of shared events.
It is also important to note that sharing physical print photos continues to remain a significant activity-sometimes by giving a physical copy of a photo, but more frequently by allowing others to view the photos through (semi-) permanent displays (Figure 2) or temporary albums useful for toting around the latest pictures ( Figure 3). The purpose of these displays is two-fold: to serve as a reminder of significant people, places, and events; and to facilitate relationships by promoting sharing and discussion:   Comments such as this show that the participants in our study had not necessarily consciously thought through how they maintain privacy for their personal photos. Strategies were sometimes piecemeal, or even self-contradictory. In this section we outline the privacy concerns expressed by participants, and discuss them firstly with regard to their trust and strategies for protecting privacy. The issues impacting on users' privacy perceptions are then categorized according to the information sensitivity, receiver, and usage factors of the Adams' model.

Trust, Etiquette and Current Privacy Protection Strategies
Several of the techniques for privacy described in the following section (e.g. email, CD distribution, websites with login access) depend on trust in the relationship between the picture taker and the photograph receivers. People do not dispassionately assess the privacy benefits and risks prior to each opportunity to share photos, or any other information or media exchange [1], [3]. Instead, they rely upon previous relationships with the recipients, and upon a common understanding of the implicit etiquette involved in sharing-that, for example, the shared photos will not be edited or passed along to others outside the circle. This etiquette is not necessarily adhered to in practice, and the trust in a relationship may be misplaced: [10] considers a sad litany of photo privacy violations among family and friends, as detailed in letters to advice columnists in the US.
Part of the difficulty may be that the etiquette involved is in fact unwritten. Formal guides focus nearly exclusively on good manners when taking a photo-particularly at ceremonies such as weddings and graduations [10]. The protocols associated with responsible photo sharing are left to common sense. While some actions are clearly beyond the pale, the acceptability of most other activities depends on the context, the complex interplay between the content or subject of the photo (information sensitivity), the relationship between the photo provider and the receiver (information receiver), and the way in which the photo is used (information usage).
Participants reported a number of strategies that they used to enforce privacy, to some degree, for photos in their collection. One significant advantage of prints over digital photos is that it is more difficult-or at least, it takes more This paper is available online at www.jtaer.com DOI: 10.4067/S0718-18762010000200003 effort-to copy or alter printed photos. One person belonging to a 'more elderly aging group between 60 and 70' [interviewed by Participant G] was reported to share his photos in print form, but not to 'allow' copying (that is, he did not provide negatives and/or did not permit the print to leave his possession).
For digital photos, an obvious privacy technique is simply to never display or distribute the electronic copies. This measure is too drastic, as showing and sharing is a significant factor of the pleasure of taking photographs. Remembering that the informants for this study were nearly exclusively advanced computing students, consider a few of the strategies that they reported using to support privacy for their digital photo collections: • Using email to distribute copies: "…emailing pictures enables me to restrict the viewers…rather than letting everybody to see all of my pictures." [Participant E] • Burning photos to CD and distributing the CDs: "It also protects the photos from being seen by other people in transit." [Participant F] • Posting photos to a public alumni website: "I will not worry about the privacy since these people who see my photos know me and all of us need an account and password to get in the website." [Participant I] • Posting photos to a personal website: recognized to be generally insecure, but an acceptable level of privacy is achieved because "in practice we only give its URL out to friends as some of the photographs on the website are of a personal nature." [Participant M] • Haphazard file organization: "Where as [sic] I due to multiple computers and installs, have various places on different machines where photos are stored, so of which are easier to find, and others are purposely harder to find, but not hidden." [Participant P] Participants realized these were uneasy privacy solutions which were eventually likely to fail. One possible explanation for selection of these particular strategies is that they are simple to implement-it is remarkably easy, for example, to end up with a chaotic folder structure. Another is that a deep familiarity with an environment and its tools leads to a sense of control and mastery-which can in turn result in a distorted sense of security and freedom from threat of privacy invasion [3].

Information Sensitivity
Photographs of faces in particular are a way of presenting ourselves to the world, and we want to literally project a good image through our photos. Our poses, however artificial, reflect the impression that we wish to leave on the viewer: Participant E, for example, notes that women in photos are usually exhibiting 'lovely smiles or making some lovely poses. However, males are always showing off their "cool" aspects rather than having a smiling face…" We enjoy looking at pictures of other people, but may be self-conscious of our own images; self-portraits are particularly likely to be held as private and shared only with family and close friends [Participant B]. Photos that do not conform to our self-image will probably not be shared, and may even be destroyed ("…particularly embarrassing shots of me…which I usually dispose of quickly as to prevent them falling into the wrong hands" [Participant M]).
The activities captured in a photo may render it sensitive, particularly if the subject is ourselves or someone close to us. Participants found it difficult to describe these activities without violating their own or their informants' privacy (Participant H, for example, simply refers to photos depicting "some small secrets"). Another category of concern is photos showing the subject clowning around in a potentially embarrassing manner ("photos that could be misinterpreted or… a subject … could be misrepresented by the way the photo is taken. Most participants reported taking photographs of famous buildings, scenery, and other locations of interest to sightseers; they saw no privacy issues with sharing such photos even if they contained images of people, if the people were not readily identifiable. However, a few participants did report reservations about sharing even these seemingly innocuous photos; a skilled photographer would not like to have others view photos that are technically

Information Receiver
Some photos are identified as acceptable to share with a particular class of receivers: with 'family', 'mates', alumni from high school, and so forth. These classes may be vaguely or tightly defined. A striking feature of these classes is the assumption that once an individual is admitted to the class of, for example, 'mates', that that person will always continue to be a mate-a dangerous assumption since a photo, once shared, cannot be retrieved if the relationship deteriorates and the trust is betrayed.
Photos of oneself are inappropriate to share with people who know only one's virtual, but not physical, self; for example, Participant K at one point used a photo of himself as an avatar on MSN, but rethought this and "removed it fairly quickly because it was a threat to my privacy to allow anyone on my contact list to see a photo of me…I am also a bit wary of posting images of myself … [in] chat forums. It is always disturbing that I never know who might be viewing such images-there are some strange people out there." It can be profoundly distressing to have one's expectations of who is viewing a photo violated-to lose control of images in particular of oneself, family, and friends [1]. The photos do not have to fall into the hands of unsavory strangers lurking in seedy sections of the Web, or that 'weird guy down the road' [Participant J]; even seemingly minor (to an outsider) violations of expectations can be annoying. Participant L reports that a friend developed 'strong ideas' about photo sharing after including photos of her friends and family in a university assignment: "Last year she found out that her assignment had been sent to another university in New Zealand for check marking… No one told her about sending the assignment away before they sent it." It was acceptable for the photos involved to be viewed by her lecturer, but not for unknown lecturers from another institution to assess them.
There is a complex interplay between image content and groups with which the image can be comfortably shared. Some types of images are shared with family, but not with friends ("…images which were taken in unhappy family situations…which I would probably never under any circumstances show to anyone outside of our family" [Participant J]); others can be shown to friends, but not parents ("…some of my photos are a little R-rated and I don't believe they're suitable for my family members to see" [Participant Q]); current girlfriends are not shown photos of exgirlfriends [Participant E]); people associated with work might not be trusted with family photos ("[she] has been tutoring for a while now and … she doesn't not want one of her students to find her personal photos" [interviewed by Participant L]); and so forth. And, of course, some photos are so private that they are for 'you your self and no one else', and cannot be shared [Participant J].
If identifiable people are subjects of a photo (and it is not, for example, a crowd shot of a tourist destination), then privacy concerns may be extended to those people. The subjects may have been captured in activities that the photo taker would personally prefer to keep private ("A good example is the photos she took of her friends skinny-dipping in Raglan-obviously, the people in the photo would not have been too happy if the whole world got to see those photos" [Interviewed by Participant K]). Simple consideration for the feelings of others may also be a factor ("…this is to respect people in the photos. Without permissions from others in the photos, I definitely refuse [to give permission] to copy." [Participant R]).
In some cases, it is not the information content of the photo per se that renders it unsuitable for sharing with some people, but the meaning given to that image by the relationship between the photo taker and the photo viewer. Participant O, for example, shares some photos only with family and friends, even though these are "harmless" and "can't be misinterpreted"; the photos have meaning to Participant O, and so she feels that the photos should only be viewed by others who would catch that meaning because they know her or "understand the reason behind the photo".
Finally, we may not wish to associate particular types of content with certain categories of information receiver, even though we do not personally find the content objectionable: "I have recently heard a fairly disturbing account by a

Information Usage
The use of conventional film cameras by ordinary people is generally speaking a well-defined activity in that people use them to take photos to remember and share events, and objects of interest such as people, scenery and so on. Indeed in most cases the use of the photo is in fact decided before the photos are taken-to print and view the photo and/or give a copy of it to someone else. One of the reasons for making this type of photo taking a well-defined activity is due to the cost and time delays associated with getting photographs printed, which often forces people to decide why they want to take a photo (its usage) before they take it, so that they don't end up "wasting" another shot of the film.
With digital cameras, on the other hand, people are much more likely to take a photo and after viewing it decide what they may wish to use it for; e.g., keep it, make it their desktop image, put it on the web, email it to someone else, etc. Photos can be taken for the sole purpose of sharing-a humorous situation or an odd image is captured and sent on ( Figure 6). Similarly in some cases the type of the digital camera being used defines the intended use of the resulting photo. For instance many of our study participants have mentioned that they use their mobile phone cameras, which are low resolution, only for taking humorous photos which they primarily want to share with others rather than to keep for themselves; they use better quality digital cameras with higher resolutions for taking more "serious" photos which can be kept and/or shared with others. Although our intended usage of photos taken by our digital cameras are much broader than the ones taken with conventional cameras and printed on paper, to some extent we expect that the digital photos we share with others will be used by them in a manner similar to conventional photos; i.e., recipients will view them but will not modify them or share them freely with others. With conventional photos the medium itself (printed paper) restricted their use by people other than their owner, because in the past printed photos could not be reproduced or modified easily. Perhaps this is why people, even in our digital age, have similar expectation from others when they share photos.
Many of the participants in our study clearly stated that although they shared their photos with their family, friends, or general public, they often wanted those accessing their photos to refrain from editing them or freely sharing them with others. The main privacy concern that caused these types of restrictions to be requested or expected was due to the concern that the photos may be "misused" [Participant O] or fall "into the wrong hands" [Participant M]. A typical concern was expressed by Participant L, who shared family photos only within the family because "some people use photos badly on their websites and I don't want that to happen to my family members' photos." Another interesting comment came from Participant O, who would only allow people to view his photos while he was present because "a subject of the photo could be misrepresented". This participant further pointed out that "I am happy to have these photos viewed while in my possession so I can explain them or I can make sure they aren't reproduced and misused." The need to avoid misinterpretation (by providing an explanation or interpretation) is one aspect of the need to avoid image 'misuse'.

Conclusions
Our research demonstrates the utility of Adams' privacy model [1], [3], [4] for identifying concerns that contributors to an online digital collection will have when sharing their multimedia information, in this case their digital photographs, with other users of the collection. The findings from our study initially highlighted the complexity of privacy. For instance, some of the participants changed their perception of privacy risks in mid-sentence when describing their privacy needs and concerns. It could be argued that the issue of privacy is simply a can of worms that should not be opened. However, the ad hoc strategies our study participants developed to protect their privacy show the clear importance of protecting their privacy. One issue that is particularly significant is the sense of control that end-users in an online digital collection will require over the sharing, re-use and interpretation of the photographs that they contribute to the collection.
The results highlight the changing patterns in photograph taking in conjunction with later usage. Multiple methods for sharing and re-using pictures are detailed. However, users retain assumptions about re-usage that were acquired from hard-copy usage (e.g. photos will not be edited, duplicated, distorted or distributed). Many of the participants' comments and strategies for controlling usage related to their desire for control over others' perceptions of them [19], [21].
No single factor of the Adams' model-Information Sensitivity, Information Receiver, or Information Usage-is a sufficient base for a privacy mechanism in an online personal photo collection; no subject or type of image is always/never perceived as sensitive, no receiver is trusted with all/none of the photos, and no type of usage is always/never allowed. We have also discovered another thread in the privacy tangle: that at times the ability to mediate or to explain the photo can be fundamental to the decision as to whether to share a photo. A useful privacy or security mechanism should support all these factors, in any combination that the information owner sees requisite. And, of course, support privacy and sharing while observing the interface or interaction design maxim of requiring as little effort and planning from the photo owner as possible-a tall order indeed! Ultimately who views our images and how they perceive us is a guiding force in our everyday social interactions. Problems occur with technical interactions where the risks are hidden and the mechanisms to support privacy are sadly lacking. We present here a first step towards understanding everyday photo taking and photo sharing habits, so that guidelines can be developed to design more effective personal or public online digital photo storage, search and sharing systems. A better understanding of users' privacy concerns will allow us to address those concerns when constructing systems for management of online digital photo collections-and, we hope, will encourage wider usage of such systems.