Detrimental Network Effects in Privacy: A Graph-theoretic Model for Node-based Intrusions
This provides a robust analytical framework for evaluating proportionality in data protection laws, addressing a critical gap for policymakers and privacy advocates.
The paper tackles the problem of quantifying the reach of networked data collections in privacy contexts, proposing a graph-theoretic model that demonstrates how small initial compromises can lead to large-scale data access, such as 270,000 compromised accounts enabling collection of 68.0M Facebook profiles.
Despite proportionality being one of the tenets of data protection laws, we currently lack a robust analytical framework to evaluate the reach of modern data collections and the network effects at play. We here propose a graph-theoretic model and notions of node- and edge-observability to quantify the reach of networked data collections. We first prove closed-form expressions for our metrics and quantify the impact of the graph's structure on observability. Second, using our model, we quantify how (1) from 270,000 compromised accounts, Cambridge Analytica collected 68.0M Facebook profiles; (2) from surveilling 0.01\% the nodes in a mobile phone network, a law-enforcement agency could observe 18.6\% of all communications; and (3) an app installed on 1\% of smartphones could monitor the location of half of the London population through close proximity tracing. Better quantifying the reach of data collection mechanisms is essential to evaluate their proportionality.