USENIX Association Tenth Symposium On Usable Privacy and Security 285
To Befriend Or Not?
A Model of Friend Request Acceptance on Facebook
Hootan Rashtian, Yazan Boshmaf, Pooya Jaferian, Konstantin Beznosov
University of British Columbia, Vancouver, Canada
{rhootan,boshmaf,pooya,beznosov}@ece.ubc.ca
ABSTRACT
Accepting friend requests from strangers in Facebook-like online
social networks is known to be a risky behavior. Still, empirical
evidence suggests that Facebook users often accept such requests
with high rate. As a first step towards technology support of users in
their decisions about friend requests, we investigate why users ac-
cept such requests. We conducted two studies of users’ befriending
behavior on Facebook. Based on 20 interviews with active Face-
book users, we developed a friend request acceptance model that
explains how various factors influence user acceptance behavior.
To test and refine our model, we also conducted a confirmatory
study with 397 participants using Amazon Mechanical Turk. We
found that four factors significantly impact the receiver’s decision,
namely, knowing the requester’s in real world, having common
hobbies or interests, having mutual friends, and the closeness of
mutual friends. Based on our findings, we offer design guidelines
for improving the usability of the corresponding user interfaces.
1. INTRODUCTION
Users of Facebook-like online social networks (FOSN) are not
careful when accepting friend requests from strangers, i.e., those
who they do not know in real life or online communities [3, 20].
This behavior can be exploited by an attacker to run an infiltration
campaign in a target FOSN [6]. Such malicious campaigns are a
growing cyber-security threat [9], where an attacker controls a set
of user accounts and exploits them to befriend a large number of
benign users.
Large-scale infiltration has three alarming security implications [6]:
First, the social graph of the target FOSN is compromised and pol-
luted with a large number of non-genuine social relationships. This
means that third-party services and websites have to perform ap-
propriate “cleaning” to mask out fake accounts and their relation-
ships before integrating with or using such a FOSN. Second, and
other than online surveillance, the attacker can breach the privacy
of users and collect large amounts of personally identifying infor-
mation (PII), such as email addresses, phone numbers and birth-
dates, which have considerable monetary value in the Internet un-
derground markets [5]. In addition, this information can be used to
Copyright is held by the author/owner. Permission to make digital or hard
copies of all or part of this work for personal or classroom use is granted
without fee.
Symposium on Usable Privacy and Security (SOUPS) 2014, July 9–11,
2014, Menlo Park, CA.
run follow up, highly personalized e-mail spam and phishing cam-
paigns [16]. Third, the attacker can exploit the infiltrated FOSN
to spread misinformation as a form of political astroturfing [23],
or even influence algorithmic trading that uses opinions extracted
from FOSNs to predict stock markets [2, 4].
Preventing large-scale infiltration, or at least limiting its scale
and impact, is important not only to users but also to FOSN opera-
tors and social media-based businesses. Improved technology sup-
port for FOSN users in helping them to make better decisions in
regards to friend requests is expected to reduce the associated risk.
This, however, requires a better understanding of user’s befriend-
ing behavior in FOSNs, particularly what makes them to accept or
decline friendship requests.
Our research bridges this knowledge gap. In particular, we aim
to answer the following general research question: Why do FOSN
users accept friend requests from strangers? In our studies, we
focused on the scenario where a FOSN user receives a friend re-
quest from another, a stranger in particular, and investigated the fac-
tors that influence the user’s decision on whether to accept this re-
quest. Moreover, we also studied the process that users go through,
when accepting friend requests, including identity verification, new
friend management, and privacy settings updates.
In order to understand users’ behavior in FOSNs, we designed
two studies: a qualitative, exploratory study and a quantitative, con-
firmatory study. We received an approval for both studies from our
university’s research ethics board.
First, we conducted a set of semi-structured interviews with 20
active Facebook users (Section 2). The goal of conducting this
exploratory study was to understand users’ behavior in FOSNs in
response to friend requests, and explore the factors that influence
their decisions. To the best of our knowledge, there is no related
qualitative work to support our research questions. Therefore, we
used Grounded Theory [8] in our exploration to develop a model
that captures such a behavior.
In the confirmatory study (Section 3), we refined and partially
tested the developed model, by conducting an online survey among
397 Mechanical Turk (M-Turk) workers. The goal was to identify
prominent factors that highly impacted users’ decisions in practice.
Based on our findings, we offer guidelines on designing FOSN
interfaces for reviewing and responding to friend requests (Sec-
tion 4). While defending against large-scale infiltration is challeng-
ing [7], we hope that progress in this research direction will lead to
the improvement of existing security defences and make them less
vulnerable to both human exploits (i.e., automated social engineer-
ing [15]) and technical exploits (i.e., platform hacks [26]).
To summarize, this paper has the following contributions:
1. We developed a model for online lifecycle of Facebook friend-
ship acceptance, which explains the factors that influence
1
286 Tenth Symposium On Usable Privacy and Security USENIX Association
On-campus
flyers
Participant
Online Ad
Mediator Researcher
Sends contact information
via Facebook message
Sends participant s
contact information
1
2
3
Schedules interview
Figure 1: Mediator role
users’ behavior in response to friend requests.
2. We characterized such factors and analyzed their impact on
users’ decision with regards to friend requests. We also iden-
tified four factors that significantly impact users’ befriending
decisions.
3. Based on both qualitative and quantitative results, we suggest
design guidelines for FOSN interfaces that we expect can
help users make informed decisions about friend requests.
2. EXPLORATORY STUDY
The study was in the form of semi-structured interviews. In what
follows, we give more details about the study, including research
questions, recruitment procedure, data collection and analysis.
2.1 Grounded Theory
We chose Grounded Theory as the approach of this study as it is
an appropriate method for research in areas that have not been pre-
viously explored, especially when a new perspective might be ben-
eficial [24]. Among different ways to apply Grounded Theory [13,
10, 8], we chose to follow the definition proposed by Charmaz [8]
because it provides a more flexible format for data analysis.
2.2 Research Questions
In the exploratory study, we aimed to understand users’ befriend-
ing behavior in response to friend requests, and to explore the fac-
tors that impact their decision. By applying the procedures of Grounded
Theory coding, we were able to find new information, concepts,
themes, and categories to develop a theoretical model, which helped
in answering the following research questions:
RQ1: What are the factors that influence users’ decisions
when responding to friend requests in general, and to friend
requests sent by strangers in particular?
Volunteer Participant
Sends a friendship request from real
account
Sends a friendship request from
auxiliary account
Interview happens after
4 days
1
2
3
Figure 2: Volunteer role
RQ2: What are the actions the users take before making a
decision about a friend request?
RQ3: What are the actions the users take after making a
decision about a friend request?
2.3 Participant Recruitment
We posted the recruitment notices on local Craiglist and Kijiji
websites. We also distributed flyers across our university’s cam-
pus. In the recruitment notice, we included a brief description of the
study and a hyper-link to an existing Facebook profile, and asked
potential participants to send a personal message to that profile de-
scribing their interest, along with their email addresses.
We asked potential participants for their email addresses so that
we have a reliable way to communicate urgent messages without
depending on Facebook (e.g., unplanned changes in the interview
schedule).
The owner of the profile was a graduate student in our depart-
ment who was not affiliated with our research lab and was recruited
to mediate the initial communication with potential participants.
The purpose of recruiting a third party (i.e., the mediator) was to
avoid any potential linkage between the user profile used for re-
cruitment and our study. The mediator signed a non-disclosure
agreement stating that all data collected through mediation would
be immediately erased after relaying them to us, and that all infor-
mation about the study would not be shared externally.
Overall, the mediator, denoted by M , operated under the follow-
ing protocol, as illustrated in Figure 1:
1. A potential participant P uses Facebook to send a personal
message to the mediator M, which contains Ps email address
and interest in the study.
2. M sends to the dedicated researcher an email including P’s
Facebook user identifier along with Ps email address.
3. Once the researcher receives the email from M, he asks M to
permanently delete the message that was sent by P and not
to respond to any interactions initiated by P.
Using the email addresses of potential participants, we used e-
mail to schedule interviews with them. We used the mediator to
avoid inaccuracies due to self-reporting, when it came to identify-
ing which of our participants tend to accept friend requests from
strangers. This is why we had another volunteer who sent prospec-
tive participants friend requests from two other dedicated Facebook
user profiles. The first user profile was a real account managed by
another volunteer, while the second one was an auxiliary account
that we created for the purpose of this study.
1
We aimed at reduc-
ing the chances that the participants knew the real account. To this
end, we excluded students in our department from participating in
the study.
As illustrated in Figure 2, the volunteer controlled both accounts
and sent friend requests to potential participants according to our
instructions. The volunteer, who was a graduate student from our
department but not affiliated with our research lab, signed a non-
disclosure agreement that prohibited him from both interacting with
potential participants and sharing any collected information.
To avoid any suspicion among the participants in regards to the
volunteer’s account, we asked the volunteer to remove Facebook
friends made for the purpose of the study after the interviews were
finished, rather than before the interviews. While there was a risk
1
The auxiliary account represented a male graduate student at-
tending our university. The profile included a publicly available,
generic picture of a man in his mid 20’s.
2
USENIX Association Tenth Symposium On Usable Privacy and Security 287
of two participants having a pre-existing social connection (either
online or offline) and seeing that the one is a friend with the vol-
unteers, which could have influenced the other participant, none of
the interviewed participants indicated that this was the case.
After each interview, we sent a debriefing message via Facebook
to thank the participants for their interest in our study and provided
them with more details about our research.
2.4 Data Collection
Our interviews were semi-structured, which gave us the flexibil-
ity to adjust and add new questions. We performed data analysis
concurrently with the interviews in order to inform each new inter-
view with the results obtained from the previous ones.
Each interview followed roughly the interview guide reproduced
in Appendix A and had the following 6 parts:
1. Overview of the project.
2. Participants’ demographics (e.g., age, gender, education, oc-
cupation, language) and Facebook usage-related questions
(e.g., membership time, frequency of usage).
3. Participants’ befriending behavior in general, and their re-
sponses to friend requests in particular. For instance, we
asked questions about participant’s friends, factors or criteria
they employ to make a decisions about friend requests.
4. Participants’ attitude towards their privacy and security.
5. Participants’ attitude towards befriending strangers, and whether
they had befriended strangers before.
6. Debriefing participants and concluding the interview. Dur-
ing this part of the interview, we also informed them about
the friend requests that our volunteer sent. We observed
each participant’s reaction and asked each participant who
accepted any of the two requests why they did so. We also
asked participants if they had any suggestions regarding the
interface design that might help them make more informed
decisions.
As an iterative process, we analyzed the data by searching for
patterns and forming concepts that were gathered into categories.
We also wrote memos during the process of analysis to capture
our understanding about the emerging categories and relationships
among them.
Thanks to the iterative data analysis performed between inter-
views, we were able to detect “theoretical saturation” [14]. After
15 interviews, as Figure 3 shows, we reached the plateau where
further data collection did not add new categories. This is why we
stopped data collection after interviewing 20 participants. Their
demographics are summarized in Table 1. All interviews were con-
ducted in person at our university’s campus. Each interview took
about 50 minutes on average.
2.5 Data Analysis
As specified earlier, we employed Grounded Theory for the ex-
ploratory study. In Grounded Theory, data analysis involves search-
ing for the concepts behind the answers. We transcribed, anonymized,
and analyzed the collected data after each interview with an aver-
age turn-around time of 4 days. We used a web application tool
called Dedoose for the analysis [1]. In what follows, we describe
each part of the analysis in detail.
0 5 10 15 20
0 20 40 60
Number of participants
Number of unique codes
Figure 3: Theoretical saturation of interview data
2.5.1 Open coding
As the first step of coding, we identified, named, described, and
categorized phenomena found in the collected data. Open cod-
ing resulted in a set of 63 unique codes, including both abstract
(e.g., befriending behavior) and concrete labels (e.g., Facebook fre-
quency of use). The intuition behind having abstract labels was to
help develop a model. At the end, we had in total 2,620 coded
excerpts, with an average of 131 per interview. We performed tri-
angulation by having two other coders on four of the interview tran-
scripts (interviews numbers 2, 6, 8, 11). The codes generated by the
other two coders turned out to be subsets of codes generated by the
main coder.
2.5.2 Axial coding
After open coding, we started to relate the generated codes to
each other and ended up with 7 categories grounded in the collected
data. The categories are friendship factors, privacy and security
awareness or concerns, investigation actions, decision execution,
maintenance actions, environmental factors, and interface capabil-
ities.
2.5.3 Selective coding
The aim of selective coding was twofold: (1) to identify the
main category, which ended up being decision making process
for friend requests; and (2) discarded all categories that were not
related to the core category, e.g., fancy interface features. Finally,
we read the transcripts again and selectively coded any data related
to the core category.
Demographics Type Range # of Participants
19-29 11
30-39 6
Age 40-49 2
50-59 0
60-69 1
Gender Female 12
Male 8
0-2 7
Facebook Membership 2-4 9
(years) 4-6 3
6-8 1
0-100 6
Facebook Friends 100-500 9
500-1000 5
Table 1: Demographics of interview participants
3
288 Tenth Symposium On Usable Privacy and Security USENIX Association
Privacy/Security
Awareness/
Concern
Investigation
Actions
Friendship
Factors
Interface
Capabilities
Decision
Execution
Maintenance
Actions
Environmental
Factors
1
3
2
Decision Making
Process
Figure 4: Online Lifecycle of Facebook Friend Acceptance
(OLFFA) model. Shaded components on the top are the internal
factors and components with hyphenated borders are the external
factors. The middle box, which includes 3 components, represents
the decision making process. The dashed arrows represent decision
making flow. The solid arrows represent the impact of components
on each other.
2.5.4 Theoretical coding
During this stage of analysis, we applied to the data the devel-
oped theoretical model. We integrated the model into related data
in order to explain the core category. The outcome was a grounded
model, or theory, about the lifecycle of Facebook friend acceptance,
which we discuss in the following section.
2.6 Results
We now present the results of our exploratory study. First, we
start by discussing the overall model, and then continue with de-
tailed descriptions of the model components and the relationships
among them.
2.6.1 The Overall Model
We refer to the developed model as the Online Lifecycle of
Facebook Friend Acceptance (OLFFA). It includes 7 components,
as shown in Figure 4. Each component is derived through the cod-
ing steps that were described earlier and is representative of a set
of users’ behaviors.
The factors that we found to have influence on the process of
users’ decision making can be categorized into four groups, to which
we refer as components: Friendship Factors, Privacy and Security
Awareness and Concerns, Environmental Factors, and Interface Ca-
pabilities. Since the first two components (green shaded rectangles
in Figure 4) are user-specific and subjective, we considered them
as internal (to the user). On the other hand, since a user does not
have any direct control over the last two components (red rectan-
gles with hyphenated borders), we call them external factors. The
components inside the large grey box in the middle of the figure
represent the decision making process, and the numeric labels in-
dicate the flow of actions associated with decisions. The rest of
this section discusses each of the components and the relationships
among them.
2.6.2 Friendship Factors
This is the component that was brought up and discussed by all
of the participants. Friendship Factors impacts Privacy and Secu-
rity Awareness and Concerns of users in the sense that when users
employ more restricted friendship factors, they become more sen-
sitive about their profiles’ privacy and security.
On the other hand, Friendship Factors could be impacted by Pri-
vacy and Security Awareness and Concerns. This happens when
the Friendship Factors that the users employ change due to a an
adjustment of their view on their profiles’ privacy and security:
“Well, from the time my brother’s account on LinkedIn
was hacked, I have always concern to have my info
available on the internet. So I started to accept people
that I feel comfortable to share my info with them. Not
like before that I was accepting almost everyone. (P9)
As the result, a user could become more conservative in making
new friendships. A reverse change could happen as well.
This component also impacts Investigation Actions and Mainte-
nance Actions. For instance, if a user relies on the similarity of
backgrounds for making friendships on Facebook, an investigative
action could be to check out the requester’s profile in order to see
her background. Similarly, finding and removing passive friends is
another example of maintenance actions driven by friendship fac-
tors.
Here is the list of Friendship Factors we have discovered:
Knowing the person in the real world (KRL): It was re-
ported by participants that they care about knowing people
in real world or at least in online communities (e.g., forums),
when they consider accepting friend requests on Facebook.
For instance, P5 said:
“If I do not know them, I do not accept them. I
mean I should have seen a person at least once to
accept them as Facebook friend.
Profile picture (PRP): The profile picture is one of the most
important factors for users. We encountered users who usu-
ally spend only a few seconds to decide about friendship re-
quests. Those users pay attention to only the profile picture,
as the fastest way to make their decision. As P4 puts it:
“I can really know from pictures. If you do not
have a picture then I do not know you!”
Profile name (PRN): Similar to profile pictures, the profile
name is used by users especially for the case when they want
to instantly decide about friendship requests. They prefer to
receive requests from recognizable names, to facilitate the
process of decision making.
Common background (CBG): During the interviews, many
participants mentioned common backgrounds and interests
as friendship factors. Users tend to accept friend request
from people who have common background with them. These
commonalities include city and country of birth or residence,
schools and universities attended, personal interests, and hob-
bies, etc. When we asked for the reason, the users pointed out
that these commonalities work like a trigger that helps them
remember the people they have on Facebook and to know
them better. For example, P17 said:
Although it is fine for me to have new friends
based on my interests, I would prefer to be in the
same city to make closer friendships.
4
USENIX Association Tenth Symposium On Usable Privacy and Security 289
Being active on Facebook (BAF): According to our data,
the fact that the friend requester is an active Facebook user is
sometimes the most important factor, even more than know-
ing the requester. P5 expressed this by saying:
“If they send me a request, okay, I know you. I am
going to accept your request but it has been five
months and you are not posting anything. You
never come to Facebook. You never post any-
thing. Okay, I am sorry. I have to delete you
because you are not adding anything.
Gender (GEN): The gender was another factor for partici-
pants. P5 said:
“I think gender is effective in terms of friend re-
quests. You know, I am sorry to say it but put
a picture of a pretty girl would get hundreds of
friendship requests or even messages. I have a
male friend who was building a ‘stable’ of Face-
book women. He had about 600 friends and they
were all women. There is not a single male friend
on the list!”
Number of mutual friends (NMF): The majority of partic-
ipants confirmed that the number of mutual friends is impor-
tant, as it helps users to remember whether they know each
other. Although it is known as a way of verification by many
users, it might fail them. P2 raised an interesting point about
it:
“I used number of mutual friends as a fast ap-
proach to accept friends but later it turned out it is
not necessarily good enough because I removed
many friends who had large number of mutual
connections with me. Maybe because I had a lot
of friends, around 800, so I had many friends in
common with people and it did not work all the
time.
Closeness of mutual friends (CMF): Some participants high-
lighted that, in addition to the number of mutual friends, it is
also important to know the closeness of those friends. That
is, even if there are a couple of mutual friends between the
receiver and the requester, it is not necessarily enough for
users to make a decision. As P5 expressed it:
“You either have to be someone I know or you
have to be mutual friends with someone I really
know. Anyone else I do not take requests anymore
because I ran into some pretty weird people.
User’s activity pattern (UAP): Another friendship factor
was user’s activity pattern, including what kind of informa-
tion is shared (i.e., either relevant or irrelevant) and how often
the content is shared. For instance, P1 said:
“I do care about what they post. If they post, like,
things that I would find disturbing for me, ding!!
I would delete them.
Furthermore, our participants disliked being friends with those
who just monitor others’ posts, and possibly report to mutual
contacts:
“My aunt turned out was watching my page and
then reported my activities to my mom. And that
did not go over well and I just blocked them. I
would never befriend anybody who just monitors
others. (P6)
Given this dislike for passive users, it was interesting to dis-
cover that some of our participants had changed their activity
on Facebook over the years. They undergone a shift from ac-
tive to passive users, who just read others’ posts, without reg-
ularly adding any content. According to our participants, an
active user is the one who is willing to have a lot of Facebook
friends and performs a variety of activities, such as sharing
photos, notes, and videos, as well as posting their status, etc.
Closeness and quality of friendship in real life (CFR): We
found in the interview data that it is important for users to
make sure how good of a friend they might become with the
requester and if they might get along. For instance, P6 re-
ported:
“If I know them then, it takes a little bit longer
because then I have to decide because my half-
brothers and their daughters have requested to be
my friends. And yes, I know them but, no I do not
want them on my page. Because the girls I do not
get along with when they come for Christmas din-
ner. We only see them at Christmas time and I do
not get along with those girls. My half-brothers,
the one I do not I have only met this past sum-
mer for the first time, so I do not know him and I
am not interested!”
Another participant, P5, expressed similar concerns:
“I found this quite upsetting but there is a woman
on my site who I worked with. We were quite
close at work but I did not like a number of things
that she did, and you know I did not accept her
request.
Application-based friendship (APF): There was another fac-
tor raised by our participants where users tend to make friend-
ships with others for the sake of receiving bonuses from some
applications such as games. As a result, such users would
send and accept more friendship requests.
2.6.3 Privacy and Security Concerns and Awareness
As described earlier, this component is influenced by and im-
pacts Friendship Factors. Maintenance Actions also impacts this
component. This might happen as a maintenance activity, for ex-
ample, when a user monitors a friend’s profile and she ends up
facing surprisingly irrelevant content posted by this friend. This
observation would cause them to be aware of fake or hijacked ac-
counts posing as close friends:
“I remember that I found that there were two accounts
for a friend of mine and I thought he had created an-
other one. When I asked, it turned out that the first
one was a fake account and he had already deactivated
his previous account. So, somebody had created an ac-
count similar to his first account. I did not know that.
I even checked my name to see if there is any fake ac-
count for me as well as other friends. (P17).
5
290 Tenth Symposium On Usable Privacy and Security USENIX Association
Another source of influence on this component is Environmental
Factors in general and media in particular. Some participants noted
that their awareness of privacy and security on Facebook were af-
fected by media reports. For example, P7 shared:
“Previously, I would just add like a lot of random peo-
ple and accept requests. Later, I became more conser-
vative, as I heard from media about leakage of users’
information.
P1 also believed that there were security incidents reported by me-
dia that influenced her behavior:
“Because there are a lot of issues with Facebook, like
pictures, as there was the recent one about the girl
who committed suicide and how her photo was used
for some porn website so things like that. So for the
pictures that I post on Facebook, they are never of my
face.
P3 had similar concern describing his experience:
“I used to post a lot of photos on Facebook but then
there are issues with security. The more you post, the
more you cannot take back because I read in a blog that
even if you post a photo on Facebook and get rid of it
from your account, just delete an album, you are still
going to be on Facebook. So because of that I stopped
posting photos on my account.
We also found an interesting point about the effect of security
and privacy incidents in other online services, which results in change
of behavior on Facebook. P10 said:
“I had profiles on LinkedIn and Evernote but then I re-
moved it because of some security leak in passwords. I
got sensitive in terms of disclosing information on my
accounts.
2.6.4 Interface Capabilities
Our participants reported a set of issues related to capabilities
of the interface—e.g., lack of required information, device-specific
design, and frequent changes of privacy settings—that would im-
pact Investigation Actions and Maintenance Actions.
Some of the participants could not easily find desired informa-
tion in order to make decisions about friendship requests. As a
result, they preferred sometimes to think about requests, rather than
looking for additional information on Facebook about the requesters.
This raises the issue of information visibility in the interface. For
instance, P3 provided the following suggestions:
“Definitely need to have what/where they are from,
what they have, if it is in academic backgrounds, then
what they studied and where. And if it is just maybe
a few interests that they have, [it] could never hurt,
I think. Just because you look at a person and you
think they are interested in photography I do not think
it could actually hurt anyone. So just something along
those lines that can give you more information.
Regarding the issues related to device-specific design, P8 shared
her experience as follows:
“In terms of an interface, maybe a bigger button, I
think just because sometimes all those buttons look
very similar and you tend to click one. If you are using
your phone and looking at someone who you are not a
friend of, but you want to (this has happened to me be-
fore), you want to message that person instead before
you add as a friend and then by mistake because the
buttons are right next to each other I would press add a
friend, send a friend request, or add a friend instead of
message. So when that goes out that is it. They receive
it and then you cannot really retract that.
P13 mentioned another issue in this regard:
“It really depends if I use my phone or my desktop
when I accept or reject a request. Using the desktop, I
spend way more time while this is not the case with my
iPhone. So you would be lucky to have me on desk-
top when receiving your request. On iPhone, I would
make my decision very quickly. If I do not remember,
I would just reject.
This issue shows the gap between usability of device-specific de-
signs of interfaces for accepting/rejecting requests.
The last issue about the interface was frequent changes made to
the interface, the privacy settings in particular. Participants found
it difficult to catch up with these changes.
2.6.5 Investigation Actions
Before making their mind in regards to friendship requests, some
of our participants took one or more of the following actions:
Sending personal message: Specified by many participants,
sending personal message is a common technique for obtain-
ing additional information about the requesting user, espe-
cially when he is not known to the receiver. As P7 explains:
“I would personally ask them on private messag-
ing and say that I do not know you or asking some
questions like ‘have I met you?’
Checking out photos: It was also common among the par-
ticipants to go to the profile and, if possible, check out photos
of the requester. They reported to be helpful to recognize the
requester, to either make decide about the request or start
communicating with the requester via messaging.
Looking for commonalities: Another action taken by our
participants was to explore for commonalities in terms of
background, friends, interests, etc., as P5 illustrated:
“Do we have common interests? Do you know
some friends of mine? We have something in
common maybe?”
This action seemed to be done by those participants who had
new friends, in order to help them know people better, as well
as those who wanted to have limited list of friends, in order
to help them verify requesters, in case the profile picture or
name were not recognized.
Checking mutual friends profiles: Some of our participants
reported that, although it was important to know if there were
any mutual friends, it also took time to check out the mutual
friends’ profiles for evaluating the closeness of the relation-
ship. Although it was important to some of our participants,
some other participants said that they would skip this step
because it was too time-consuming and required somewhat
high cognitive load:
6
USENIX Association Tenth Symposium On Usable Privacy and Security 291
“I really want to know more than just number of
our mutual friends and see if those are close friends
but I check that when it does not take me a long
time. Like less than 5 minutes otherwise I won’t
do that. (P13).
2.6.6 Decision Execution
We found three types of behavior for decision execution. (1)
Some participants would make their decisions immediately after
they received requests. If they could find information they needed
to make the decision, then they would easily make it right away.
There were other participants who would accept friend requests
right away, although for different purpose. They would do so in
order to find out more about the requester (after becoming friends)
and then decide if they wanted to unfriend her or not.
(2) Otherwise, they would reduce their set of decision criteria,
in order to expedite the process. In such cases, participants with
less concerns about privacy and security would most likely accept
friend requests:
“If I get a friend request that we share mutual friends
but I do not know them, I am always hoping that I can
check their profile. Sometimes it is restricted so you
cannot. So I accept the friend request. (P5)
(3) On the other hand, some users would leave requests as they
are, and postpone further investigations.
2.6.7 Maintenance Actions
The interview data revealed three types of Maintenance Actions
that our participants took after accepting friend requests.
One of the common maintenance actions was to remove friends
after a while, due to a number of different reasons. For exam-
ples, those friends that had been added in order to play face boo
games, would be removed when there was no need to be friends
with them. Another common reason was finding content shared by
to-be-removed users irrelevant. As a result of these actions, users
may adjust their Privacy and Security Awareness and Concerns,
which would eventually impact their Friendship Factors.
One other type of maintenance actions was to define different
levels of access for friends. This usually happened in two ways.
One was to define separate groups of friends and then specify vis-
ibility of the posts using these groups. The other way was to deny
specific users the ability to see a post or any desired content on-
the-fly. This means that participants sometimes set the access level
manually to avoid a group of friends accessing the post. As an
example, P7 said:
“If it is for family pictures, I would just change the
privacy setting to relatives. Then, I do not have to re-
member every one of those friends. Sometimes I do
not even have to create a group for relatives though. I
can remember who are my relatives.
The third type of actions was for our participants to update the
privacy settings of their profiles. However, some of our partici-
pants, who were sensitive about their privacy, complained about
frequent changes that Facebook privacy settings undergo:
“It changes a lot, but from time to time I try to go back
and look at it, but that could be like once a year or so.
(P3)
On the other hand, we found that some participants were not even
aware of privacy settings in the interface. When we asked about the
possibility of access to information of their profiles, some of them
did not even know if it were possible. P2 said:
“I guess so, because I have not seen that at all. But,
now that you have talked about that, to me that means
there are thousands of people that can check who I am.
Some groups are pretty big. I have not thought of it.
This issue with frequent changes in Facebook privacy settings illus-
trates the relationship between Maintenance Actions and Interface
Capabilities, in which the latter impacts the former.
2.6.8 Environmental Factors
Analysis of interview data revealed that there are three environ-
mental factors that influence Investigation Actions and Privacy and
Security Awareness and Concerns, as discussed before.
First, the participants referred to the lack of time, as a factor that
influenced their decisions about friend requests. For instance, P17
said
“I have always problem with the lack of time during
break times. I have to check updates, requests, mes-
sages, etc. in just 15 minutes. I once accepted a friend
by mistake, as the requester had just same name as a
friend of mine and I had not checked his profile to get
more info about him.
The second factor is the lack of concentration, while checking
out Facebook:
“On the way to university, I usually check out my pro-
file on the bus. I once accepted a request when I was
on the bus and that was a wrong decision. I guess I was
distracted by stops and also other passengers so that I
forgot to send a message to the requester. (P20)
The third environmental factor was the effect of media. As de-
scribed earlier, the Privacy and Security Awareness and Concerns
of our participants were impacted by media reports about security
and privacy incidents.
2.7 Discussion
In order to answer the research questions, we decided to go one
step back and envision the problem as part of a bigger context.
Therefore, we managed to come up with a model which discusses
users’ behavior when they want to accept/reject a friend request.
This idea was supported with the fact that there is no previous study
focused on this aspect of users behavior. Armed with such a model,
we would be able to uncover behavior of users towards strangers
since this scenario would be a specific case of the model. We de-
fine stranger as a person who is not familiar in real life or online
communities. In this regard, we indirectly asked participants about
their interaction with strangers so that we can reveal more details
about this scenario.
2.7.1 Befriending Strangers
As described in Section 2.3, before each participant was inter-
viewed, the participant received two friend requests, one from a
Facebook profile of a real user, and the other from an auxiliary pro-
file made up for the purpose of the study. Five participants accepted
at least one request from one of these accounts, and one of them
accepted requests from both accounts. When we reached in our in-
terviews the debriefing part, in which we informed the participants
that these requests were from our research team, their reactions var-
ied.
The participant who had accepted both requests said that it was
okay with him and he did not care about strangers among his Face-
book friends, since he did not have any idea that anybody could
7
292 Tenth Symposium On Usable Privacy and Security USENIX Association
make any use of his profile data. The other four participants who
had accepted requests from either real or auxiliary accounts of the
researchers had different attitudes. After hearing the scenario, they
got nervous and one of them said:
“I would not have accepted the request if I knew more.
I saw the guy is from UBC and is a graduate student. I
thought that it should not hurt.
Another participant, most of whose profile was accessible publicly,
had similarly nervous reaction, especially when we explained the
possibility of any user accessing his profile information. He com-
mented that in the future, he would pay more attention regarding
friend requests.
In addition, we found evidence in interview data suggesting that
some OSN users don’t pay attention to possible threats, when it
comes to making friendship connections:
“I seem to be a million times more strict than most
people. I know some friends who accept anybody that
requests. Well, I mean a lot of people do. They do take
it too easy. How can you have 2,000 friends?” (P5)
Another participant had a set of “friends” from accessory shops
(she did not know them) while they had access to the profile infor-
mation e.g., other friends in her profile. Some participants seemed
to have no criterion for making friendship. They would just add
anybody, as P11 explained:
“I am always nice to requests on Facebook, as I cannot
remember that I have rejected a request.
Attitudes Towards Strangers: These observations made us more
curious about users’ perception of Facebook users they do not know
in real life. Our analysis suggests that, when it comes to one’s
attitude towards strangers on Facebook, our participants can be
roughly divided into three groups.
We found that one group of participants had a “take it easy” atti-
tude towards accepting friend requests from strangers. As P1 justi-
fied:
“I have spent some time with them on Facebook and
they do not seem somebody who would cause me pain!”
As P1 mentioned, it is enough to have a feeling that a person is not
going to make any trouble for them. The other reason for accepting
their requests is that having less commonality might be even an
advantage, as P16 illustrated:
“I know some people in real life who have common
things with me like our neighbor’s kids that we lived
in the same neighborhood, we went to the same school.
But I do not want him to be on my Facebook profile.
I prefer to have more of these unknown guys instead
of our neighbor’s son, as some of them post cool stuff
and I don’t need to be worried about my posts, because
none of them would tell my dad what I am doing!”
On the other hand, for some other participants, only knowing a
requester in real life did not necessarily mean that this was a right
person to be friends with on Facebook. P2 illustrated this point
with the following example:
“I have like friends from primary school who ask me
to be [Facebook] friends. But, in primary school you
are friends with all your classroom so then it will be
like your real friends. And that has not been done for
15 years. So now I do not accept them anymore if I see
that we are in really different world and everything. It
is my private life and I am a new person now.
P1 explains this attitude further:
“If you have not kept in contact or you have not actu-
ally tried to stay in contact, I feel like there is no point.
Long ago in the past, I do not go back there.
Users who have this attitude are less vulnerable to the threat of
accepting a stranger’s request.
The third group’s attitude was not as clear cut as for the first two
groups. As a result, participants from this group were influenced
by the various factors specified in our model. This group would
be also vulnerable to the threat of accepting strangers’ requests, as
participants from this group reported issues in recognizing people
in real life or online communities.
These groups are not necessarily mutually exclusive, i.e., the
same user can exhibit in the majority of cases the behaviour of one
group, and yet handle some of the requests following the pattern of
another group.
Accepting While Not Indending: Our analysis revealed that
some of our participants would make inconsistent decisions. For
instance, they would accept friend requests although they didn’t
have intention to be Facebook friends with the requesters, as an
example of P11 illustrates:
“Some requests are from people that I had a quick chat
with them or somehow I remember them but honestly
I don’t want to be friends with them. However, I will
accept if they send me request.
These participants seem to find it socially awkward to reject friend
requests. P18 made it explicit.
“I always have this problem with some of people I
know but I don’t have a really good relationship with
them that I cannot say no to their request. I don’t know
why but I think it’s better to accept rather than reject
them. (P18)
Usage Differences: We discovered differences in the way our
participants used Facebook, and these differences seem to correlate
with they way they treated friend requests. Although it has been
previously shown that users tend to use OSNs (including Facebook)
to make connections and share different kinds of data, we found
three “flavours” of users:
Contributors: These are traditional users who both consume
and contribute new content. They make friendships, share
photos, share personal information, post updates, and inter-
act with others by commenting and favoring their shared con-
tent. From the point of view of this group, the aim of FOSNs
is to make an environment in which people feel free to share
information with others and receive feedback. While they are
willing to have more friends, they are also conscious about
their profile privacy and friendship management, as P16 il-
lustrated.
“I really enjoy using Facebook when I share posts
or comment on a post and receive likes. But this is
because I know my friends and feel comfortable
with them”
Observers: On the other end of the spectrum, there are users
that avoid having social interaction and prefer to passively
observe others. They have different reasons for this behavior
including lack of time, security concerns, difficulty to use the
interface. As the result, they do not share any information
and they are willing to make connection with as many users
as possible.
USENIX Association Tenth Symposium On Usable Privacy and Security 293
Percentage of participants
(%)
(a) Age
Percentage of participants
(%)
(b) Gender
Figure 5: Age and gender comparison of our sample to Facebook population.
“I like Facebook as it gives me the chance to read
my friends’ posts and watch their photos, read
news and many other things. Of course I don’t
share anything as I use my phone and it’s really
difficult to type a lot. Moreover it takes a lot of
time. (P13)
Conscious Contributors: In addition to these two extremes
of the spectrum, there are advanced contributors who are
more sensitive about the audience of their posts and other
shared content. This third group of people reports more is-
sues regarding friendship management, as P15 illustrates:
“What I am looking for on Facebook is to interact
with others and share my info as well as see their
posts. I am spending a lot of time to manage my
profile and I have this difficulty to put my friends
in different groups as I want to have them but I
don’t like to share my personal photos or posts
with all of them.
To summarize, our observation indicates that we can categorize
users of FOSNs into three groups, with Contributors and Conscious
Contributors being more likely to have issues in terms of privacy
and security of their profiles. This sheds light on the point that
privacy and security would have different meanings for users ac-
cording to the type of their FOSN usage. Consequently, this may
impact user’s attitude towards friend requests.
Our Online Lifecycle of Accepting Friends model could be help-
ful for FOSN designers, when it comes to supporting users in de-
ciding about friend requests. The model could aid in considering
various factors that impact user decisions.
3. CONFIRMATORY STUDY
While the exploratory study allowed us to identify possible fac-
tors that have a role in users’ decisions about friendship requests,
we wanted to test these factors on a representative sample and mea-
sure the fraction of users who are employed by those factors. There-
fore, we decided to conduct an online survey that would allow us
to collect quantitative data from a representative sample.
For each of the eleven friendship factors identified from the in-
terviews, the survey had at least one statement (e.g., “If I recognize
someone’s picture, I would accept his/her friendship request on
Facebook.”) and asked participants to indicate their agreement on
Likert scale of 1-5. For those factors that had more than one state-
ment, we used the mean score. For testing data quality, we have
included contradicting statements. For example, “I would accept a
friendship request from a Facebook application. and “I don’t tend
to accept friendship requests sent by Facebook applications. All
questions from the survey can be found in Appendix B.
We recruited 425 M-Turk participants from USA and Canada.
Each USA participant received $0.50 and Canadian $0.75. It took
16 minutes on average for our participants to finish the survey. We
removed 28 participants because of contradictions in their answers,
which left us with responses from 397 participants.
3.1 Results
First, we provide statistics related to sample representativeness
and participants demographics, then descriptive statistics regarding
employment of the friendship factors, finally we discuss the impact
of the friendship factors on accepting a stranger’s request.
3.1.1 Pariticipants Demographics
We compare demographics of our sample with the demographics
of Facebook users.
As Figure 5a shows, our sample is younger than Facebook users.
We got more younger participants (18-24: 31% vs 23.2% and 24-
34: 39% vs 24.4%) and fewer participants in higher age ranges
(35-54: 25% vs 31.1% and 55 and above: 5% vs 15.6 %). We
did not have any preference to recruit participants from younger
age range and as mentioned earlier, we recruited participants from
Amazon M-Turk. However, previous work shows that the turkers
are relatively young with about 80% in 18 to 40 years old age range
(Average = 31, Minimum = 18, Maximum = 71, Median = 27) [22],
which could be the reason for having a younger sample rather than
Facebook demographics. It is also worth mentioning that we did
not have any participants in the age range of 13 to 18, as we chose
to recruit participants who were at least 19 years old.
In terms of gender, as Figure 5b shows, our sample was biased
towards male participants (58% vs 42%), while 53.3% of Facebook
users are female and 45.7% are male.
Demographics of our participants show diversity of the sam-
ple. In terms of age, we had participants from 19 years old to
65 and more. Gender-wise our participants were fairly evenly dis-
tributed. Participants also had diverse education levels (26% with
high school or lower degree, 59% with undergraduate degree, 10%
with graduate degree). The employment status of our participants
varied, too: 56% employed, 22% students, 16% unemployed, 2%
unemployed and 4% had other employment status.
We also asked our participants general questions about their Face-
book usage and experience. The majority (94%) were Facebook
9
294 Tenth Symposium On Usable Privacy and Security USENIX Association
P<0.05
Fraction of participants employing each of the friendship factors for Scenarios #1 and #2 (%)
Application-based friendship =
Number of mutual friends =
User s activity pattern =
Gender =
Closeness of friendship relationship =
Closeness of mutual friends =
Being active =
Common background =
Schools attended =
City of living =
Profile picture =
P<0.05
P<0.05
City of birth =
Profile name =
Knowing in real life =
Common hobbies =
P<0.05
Figure 6: Distribution of friendship factors employment among all participants, scenario 1 (S1), and scenario 2 (S2). Significant differences
between participants of S1 and S2 are shown in terms of employing KRL, CMF, NMF, HOB (p < 0.05).
users for more than 2 years. In terms of usage frequency, 92% re-
ported that they login into Facebook at least once a month, while
80% login several times a week. They were also asked to go to their
Facebook profile and enter the exact number of their friends. Our
participants had wide range of friendship circles, with minimum of
10 and maximum 3,000 (mean 328, median 203). This shows that
collected data came from users with different befriending patterns.
Majority (64%) of participants receive at least one friend request in
a month and only 7% receive friend requests less than once a year.
3.1.2 Friendship Factors
Figure 6 summarizes results of the survey on the friendship fac-
tors. The red bars show the percentage of all participants who re-
ported employing each of the factors, i.e., they agreed or strongly
agreed with the corresponding statement(s).
Starting from the most popular factors, requester’s profile picture
(84%) and name (82%), participants accept friendship requests if
they recognize the requesters. Seventy seven percent agreed with
statement “I tend to accept friendship requests from people I know
in real life or online communities.
Another factor was “common background” (CBG). While 74%
of participants agreed that it is important to know requester’s back-
ground, the survey results show that the participants were not specif-
ically interested in a single type of background information. And
the importance varied among participants. For instance, only 15%
would accept friend requests from users who were born in the same
city as they were. Similarly, only 18% would accept friendship re-
quests from users who live in the same city as they do. On the other
hand, 27% would be interested in having Facebook friends from the
same school/university. The most popular type was “common in-
terests/hobbies, with 35% relying on this background information
in their decisions about friend requests. This particular result was
corroborated in the interviews, with participants reporting interest
in new FOSN friendships with those who share interests or hobbies.
Another factor that we tested was activeness of friends, with 72%
reporting interest in accepting friend requests from active users. In
terms of gender (GEN), 39% of participants confirmed they con-
sider it during decision making for friendship requests. The “num-
ber of mutual friends” (NMF), which is currently shown in the
Facebook’s friendship request dialog, was only used by 31% of
participants for making their decisions. On the other hand, the
majority of participants (63%) do care about “closeness of mutual
friends” (CMF) to them. Regarding the impact of “user activity pat-
tern” (UAP), we found that 38% of participants were reluctant to
accept a friend request if they saw irrelevant posts shared by the re-
quester. This was expected, as our interviews showed that although
people like to have access to the posts of requester, they usually do
not have this level of access. The results also show that “closeness
and quality of friendship in real life” (CFR) was important for 60%
of participants. We also measured the number of participants who
would accept “requests from Facebook applications”. Results show
that 22% of participants took APF into consideration, as a factor in
deciding about friend requests.
3.1.3 Accepting Friend Requests from Strangers
We wanted to understand if there is a difference between those
participants who accept friend requests from strangers and those
who don’t. We were specifically looking at the difference in the
way they would be influenced by the Friendship Factors.
To investigate this difference, we considered two types of user
behaviour, which we describe as two scenarios: (1) (S1): users
could accept friend requests from strangers, and (2) (S2): users
would reject friend request from strangers. In these scenarios, friend-
ship factors are dependent variables (DVs) and a decision of either
accepting or rejecting friend requests is the independent variable
(IV).
10
USENIX Association Tenth Symposium On Usable Privacy and Security 295
We divided our dataset into two groups (scenario 1 and 2). This
was done by analyzing the answers to one of the survey ques-
tions, which explicitly asked participants if they have any strangers
among their Facebook friends. 62% of the participants confirmed
that they did. Then, we compared these two groups in how much
they used each of the friendship factors. In what follows, we de-
scribe the results of our comparison.
We found that while only 68% of participants in S1 consider
the knowledge of the requester in real life (KRL) in their decision
process, this number jumps to 91% for S2, with th difference being
statistically significant (Mann-Whitney’s test: p = 0.0003 < 0.05).
We interpret this result as an indicator for the level of awareness in
these two groups.
For profile name (PRN), although we did not see much difference
between the groups, participants in S1 reported more interest than
those in S2 (80% vs 87%) for using profile name as a factor.
For common background, we looked at four types of background
information, including city of birth (CityB), city of Living (CityL),
schools/universities attended (School), and common hobbies/interests
(HOB). For the first three factors, we could not find statistically
significant difference between participants in S1 and S2. However,
S2 participants were slightly more interested in them (CityB: 19%
vs 12%, CityL: 21% vs 15%, School: 29% vs 25%). The differ-
ence was significant when it came to “common hobbies/interests”
(HOB). While 40% of participants from S1 employed this as a
friendship factor, there were only 25% in S2 who did so (Mann-
Whitney’s test: p = 0.03 < 0.05). This result could be leveraged as
a cue by socialbots to customize profile information in order to in-
crease the chance of getting their friend requests accepted. “Being
active” (BAF) was also more popular among S1 (76%) members
rather than S2 members (64%), although the difference was not
statistically significant.
Regarding the “number of mutual friends” (NMF), we saw sig-
nificantly more members in S1 (37%) than S2 (19%) employing
it as a factor in their decisions (Mann-Whitney’s test: p = 0.01
< 0.05). Also, comparison of S1 and S2 in terms of “closeness
of mutual friends” (CMF) indicated that more participants in S2
(77%) cared about it than in S1 (57%) (Mann-Whitney’s test: p =
0.03 < 0.05). The results of comparison for NMF and CMF sug-
gest that informing users about the closeness of the requester with
the mutual friends would be more effective than only showing the
number of such friends (available in current interface).
For user’s activity pattern, we found that participants from S2
were slightly more interested in UAP than from S1. We suspect that
the absence of statistically significant results in regards to UAP is
due to the difficulty of finding a pattern, as we had this feedback in
exploratory study. Regarding closeness of friendship relationship,
we did not find statistically significant difference between S1 and
S2. This result is expected, as it more relates to scenarios in which
friendship requests are sent from known users, according to our in-
terview data. Finally, we could not find statistically significant dif-
ference between participants in S1 (20%) and S2 (25%) regarding
application-based friendship (APF), although we expected to ob-
serve significantly more participants in S1 who rely on this factor.
This might be because of the shortage in the number of participants
who have received this type of friendship requests.
4. DISCUSSION
Considering the first goal defined for the survey, we analyzed the
data related to each of the factors to investigate how much they are
used. As the result, except for UAP and APF, all other friendship
factors were employed by at least more than 50% of participants,
which shows the validity of friendship factors inferred from the ex-
ploratory study. In addition, we asked survey participants to share
with us other friendship factors if they have any. Analysis of an-
swers to this question did not add to the factors themselves. The
participants who answered this question, mostly suggested features
that could be added to the friend request decision dialogues. As
mentioned earlier, since having access to user’s wall is usually not
possible, people may not consider UAP as a factor. However, ac-
cording to the exploratory study, participants prefer to have infor-
mation about the activity patterns of requesters. For APF, a low
percentage was expected from the interview study, in which only
few participants reported receiving friendship requests from appli-
cations.
For the second goal, the idea of focusing on the results of groups
who have strangers in their Facebook friends, and comparing it to
those who do not have, helped us to investigate and uncover the
impact of the friendship factors. As the results show, we found
four friendship factors (KRL, HOB, NMF, CMF) could play a no-
table role and influence users’ decisions. This result could be lever-
aged for improving the interface design so that users make more
informed decisions.
4.1 Interface Design Recommendations
As discussed before, the results from the analysis of our survey
data revealed interesting points about friendship factors that could
be used for improving the Facebook interface. Therefore, we offer
the following suggestions for designing user interfaces for accept-
ing friendship requests:
The interface should convey the importance of making accu-
rate decisions about friendship requests and encourage users
to make informed decisions. For instance, users could be no-
tified by a pop-up window (similar to current design) asking
users to go to another page in order to make an informed de-
cision, using useful information or a check list. Having such
a feature in the interface is supported by the OLFFA model
since it helps users to appreciate the importance of these de-
cisions.
The interface could contain a message box so that requesters
can briefly specify how they know the user. Another sug-
gestion is to give access to photos selected by each user to
better recognize the requester. We had reports from partici-
pants of both studies complaining about unclear small pho-
tos. This kind of improvement would facilitate the investiga-
tion/maintenance actions (in the decision making process of
OLFFA model) for users.
It could be helpful if user had access to statistics (number of
likes, number of comments, number of personal messages,
number of common photos) about interaction with his/her
friends. In this case, it is easier to investigate closeness of
mutual friends, which was shown to be more useful than
only the number of mutual friends. In other words, this fea-
ture would facilitate the Investigation Actions in the OLFFA
model for finding out closeness of mutual friends.
The interface could encourage the user to specify the access
level for new friends at the time the user accepts a friend re-
quest. We suggest this because our analysis showed that 31%
of participants in S1 did not define any access level for their
friends while 9% in S2 reported similar behavior. Therefore,
this could be helpful (at least for users who accept stranger’s
requests) as a facilitator for performing maintenance actions
and help users to be more cautious about the level of access
they grant to their Facebook friends.
11
296 Tenth Symposium On Usable Privacy and Security USENIX Association
It is worth mentioning that although we believe these recommen-
dations could be helpful for the Facebook interface improvement,
they are currently hypotheses to be tested.
5. LIMITATIONS
Our work has several limitations. In the exploratory part, it
would be better to have more diversity in terms of age so that the
model could be representative of a wider range of Facebook users.
On the other hand, although we reach saturation in data collection,
we had ve participants who accepted friendship requests from the
volunteer. Having more participants from this group could result in
more interesting observations and a more accurate model.
In the survey, we asked participants to report their activities,
which might not be accurate due to somewhat abstract nature of
the questions. As an alternative, it could be done by providing
them with different scenarios and then asking them questions. We
refrained from doing this due to the time limits of our survey. Fi-
nally, our sample is not representative of all Facebook users, as
we recruited participants only from USA and Canada. Having par-
ticipants from other countries could reveal more interesting points
about users befriending behavior.
6. RELATED WORK
Previous work shows that changes in friendship network has been
observed due to internet use. For instance, friendships continue to
be abundant among a wide range of adult Americans from (25 to
74 years old) from 2002 to 2007 [27]. Emergence of online social
networks was one of the main reasons for this phenomenon. While
the number of OSN users is still growing, there are concerns about
privacy of users. There is work on definition of privacy, and digital
privacy in particular, to clarify what should be expected by users in
terms of privacy [21]. On the other hand, it has been shown that
this is not always a fault of systems that results in privacy and se-
curity issues and humans are a major cause of these failures [25].
Therefore, it is necessary to consider humans in designing systems.
Cranor proposed a framework to reason about the human in the
process of designing secure systems [11]. This framework was in-
sightful during the process of qualitative data analysis to form our
model. The is also work related to privacy of users on Facebook.
It was shown that users’ intention does not match with their pri-
vacy settings [18, 19]. Another study showed that users have dif-
ficulty in understanding the privacy settings and cannot configure
them correctly [12]. As the most related work to ours, Johnson et
al. showed that the main concern is insider’s threat rather than the
outsider’s [17]. We believe that the focus of our work is different,
as our concern is to understand user’s behavior towards friendship
requests rather than how they manage their privacy settings. More-
over, we believe that stranger’s threat still exists as 62% of our
sample reported to have at least one stranger in their friend list.
7. CONCLUSIONS AND FUTURE WORK
Our work contributes to providing socio-technical solutions to
help users be aware of their decisions towards friendship requests
from strangers. First, we aimed to better understand their behavior.
We identified three groups of factors that impact users’ decisions,
including internal factors (Friendship Factors, Privacy/Security Aware-
ness and Concern), external factors (Environmental Factors, Inter-
face Capabilities) as well as a 3-step process of decision making
(investigation, decision execution, maintenance). We believe that
this model is helpful for improving the part of interface related
to receiving friendship requests. We also showed that accepting
stranger’s requests is still a threat, as having at least one stranger
in friend list was reported by 62% of our participants. We also in-
troduced 4 friendship factors (knowing in the real world, common
hobbies/interests, number of mutual friends, closeness of mutual
friends) that can significantly impact users’ decisions in regards to
friend requests. Then, we offered suggestions for improving the
interface.
There are several directions for future work. One direction is to
perform structural model testing on the proposed model Structural
Equation Modeling (SEM). Another direction is to conduct a user
study and investigate impact of modifying the interface using the
proposed guidelines. Another one is to focus on each component
of the model and investigate their potential impact on friend request
decisions.
8. ACKNOWLEDGMENTS
This work was supported by NSERC. We would like to thank
LERSSE members for their constructive feedback on this work.
9. REFERENCES
[1] http://www.dedoose.com/.
[2] J. Bates. Sniffing out socialbots: The combustive potential of
social media-based algorithms.
http://www.huffingtonpost.com/
john-bates/financial-trading-algorithms_
b_1125334.html, December 2011.
[3] L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda. All your
contacts are belong to us: automated identity theft attacks on
social networks. In Proceedings of the 18th international
conference on World wide web, pages 551–560. ACM, 2009.
[4] J. Bollen, H. Mao, and X. Zeng. Twitter mood predicts the
stock market. Journal of Computational Science, 2(1):1 8,
2011.
[5] Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu.
The socialbot network: when bots socialize for fame and
money. In Proceedings of the 27th Annual Computer
Security Applications Conference, ACSAC ’11, pages
93–102, New York, NY, USA, 2011. ACM.
[6] Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu.
Design and analysis of a social botnet. Computer Networks,
pages 1–22, 2012.
[7] Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu.
Key challenges in defending against malicious socialbots. In
Proceedings of the 5th USENIX conference on Large-scale
exploits and emergent threats, LEET’12, Berkeley, CA,
USA, 2012. USENIX Association.
[8] K. Charmaz. Constructing Grounded Theory. SAGE
publications, 2006.
[9] E. Chung. Facebook easily infiltrated, mined for personal
info. http://www.cbc.ca/news/technology/
story/2011/11/07/
technology-facebook-socialbots.html,
November 2011.
[10] J. Corbin and A. Strauss. Basics of Qualitative Research:
Grounded Theory Procedures and Techniques. Sage,
Newbury Park, CA, 1990.
[11] L. F. Cranor. A framework for reasoning about the human in
the loop. In UPSEC’08: Proceedings of the 1st Conference
on Usability, Psychology, and Security, pages 1–15,
Berkeley, CA, USA, 2008. USENIX Association.
[12] S. Egelman, A. Oates, and S. Krishnamurthi. Oops, i did it
again: mitigating repeated access control errors on facebook.
In CHI, pages 2295–2304. ACM, 2011.
12
USENIX Association Tenth Symposium On Usable Privacy and Security 297
[13] B. Glaser and A. L. Strauss. The Discovery of Grounded
Theory, Strategies for Qualitative Research. Aldine
Publishing Company, Chicago, Illinois, 1967.
[14] B. G. Glaser. Theoretical sensitivity : advances in the
methodology of grounded theory. Sociology Press, Mill
Valley, CA, 1978.
[15] M. Huber, S. Kowalski, M. Nohlberg, and S. Tjoa. Towards
automating social engineering using social networking sites.
Computational Science and Engineering, IEEE International
Conference on, 3:117–124, 2009.
[16] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer.
Social phishing. Commun. ACM, 50(10):94–100, 2007.
[17] M. Johnson, S. Egelman, and S. M. Bellovin. Facebook and
privacy: it’s complicated. In Proceedings of the Eighth
Symposium on Usable Privacy and Security, page 9. ACM,
2012.
[18] Y. Liu, K. P. Gummadi, B. Krishnamurthy, and A. Mislove.
Analyzing facebook privacy settings: user expectations vs.
reality. In Proceedings of the 2011 ACM SIGCOMM
conference on Internet measurement conference, IMC ’11,
pages 61–70, New York, NY, USA, 2011. ACM.
[19] M. Madejski, M. Johnson, and S. Bellovin. A study of
privacy settings errors in an online social network. In
Pervasive Computing and Communications Workshops
(PERCOM Workshops), 2012 IEEE International
Conference on, pages 340–345, March 2012.
[20] F. Nagle and L. Singh. Can friends be trusted? exploring
privacy in online social networks. In Proceedings of the 2009
International Conference on Advances in Social Network
Analysis and Mining, pages 312–315, Washington, DC,
USA, 2009. IEEE Computer Society.
[21] L. Palen and P. Dourish. Unpacking “privacy” for a
networked world. In CHI ’03: Proceedings of the SIGCHI
conference on Human factors in computing systems, pages
129–136, New York, NY, USA, 2003. ACM.
[22] G. Paolacci, J. Chandler, and P. G. Ipeirotis. Running
experiments on amazon mechanical turk. Judgment and
Decision making, 5(5):411–419, 2010.
[23] J. Ratkiewicz, M. Conover, M. Meiss, B. Gonçalves, S. Patil,
A. Flammini, and F. Menczer. Truthy: mapping the spread of
astroturf in microblog streams. In Proceedings of the 20th
international conference companion on World wide web,
WWW ’11, pages 249–252, New York, NY, USA, 2011.
ACM.
[24] P. N. S. Rita Sara Schreiber. Using Grounded Theory In
Nursing. Springer Publishing Company, ISBN 0826116221,
2001.
[25] B. Schneier. Secrets & Lies: Digital Security in a Networked
World. John Wiley & Sons, Inc., New York, NY, USA, 1st
edition, 2000.
[26] T. Stein, E. Chen, and K. Mangla. Facebook immune system.
In Proceedings of the 4th Workshop on Social Network
Systems, SNS ’11, pages 8:1–8:8, New York, NY, USA,
2011. ACM.
[27] H. Wang and B. Wellman. Social connectivity in america:
Changes in adult friendship network size from 2002 to 2007.
American Behavioral Scientist, 53(8):1148–1169, 2010.
APPENDIX
A. INTERVIEW GUIDE AND QUESTIONS
At the beginning of the interview, we will not inform the inter-
viewees the potential threats of accepting a strangers’ friendship
requests in Facebook. Our objectives is to collect interviewees’ re-
sponses to investigate users’ behaviors towards friendship requests
sent from users and strangers in particular. Our sample includes
active users on Facebook who logged in at least once a week.
Agenda:
1. Give an overview of the project: “The purpose of the study is
to investigate the factors users employ when making a deci-
sion to befriend other users.
2. Introduce second interviewer and specify his role.
Part1:
1. General Questions:
(a) What is your age?
(b) What is your gender?
(c) What is your highest level of education?
(d) What is your major or occupation?
(e) How long have you own a Facebook account?
(f) How often do you use Facebook?
(g) What is your first language?
2. The befriending behavior of users with strangers:
(a) How many friends do you have on Facebook?
(b) How often do you receive friend requests?
(c) Have you ever accepted a friendship request from a stranger
you do not know in real-life or have not met before online
or offline?
(d) What kind of factors do you rely on when you decide
to accept a friendship request from a stranger? (For any
factor users ask, we need to dig into more details by ask-
ing questions) (Gender, Friends, Mutual Friends, Profile,
Picture, Wall show the activity in Facebook)
(The interviewee mentioned gender.) Will you ac-
cept a friendship request from a homosexual stranger
or a heterosexual one?
(The interviewee mentioned friends.) How many friends
does the stranger have that you will accept his/her
friendship request?
(The interviewee mentioned mutual friends.) How
many mutual friends does the stranger have that you
will accept his/her friendship request?
(The interviewee mentioned profile.)
i. Same/different hometown
ii. Same/different schools
iii. Same/different age
(The interviewee mentioned wall.)
Active/quiet person
3. Users’ attitudes towards their privacy security:
(a) Have you ever set your privacy setting? (If yes) How did
you modify your privacy setting?
(b) Have you assigned different privacy setting to your friends?
(If yes) How did you modify your privacy setting for dif-
ferent friends?
13
298 Tenth Symposium On Usable Privacy and Security USENIX Association
(c) Have you had reported any security incident before in
your online activities on Facebook, email, etc.?
(d) Have you realized that if you accept a friendship request
from a stranger, he/she will have the access to your per-
sonal information? (If yes) What kind of information do
you think will be exposed to the strangers?
(e) Do you mind your private data being exposed to the strangers?
(If yes) What kind of information do you mind being ac-
cessed to the strangers?
4. Users’ appeal of strangers:
(a) How do you describe your connection with the stranger
that you have accepted his/her friendship request?
(b) Are you emotionally attached with the strangers?
(c) At the very end, do mention that the request will be re-
moved.
Debriefing happens here!
Part 2:
1. What would be your suggestion if you want to design the win-
dow for friendship requests?
2. Will you change your behavior towards friendship requests?
(If participant had accepted the request)
3. Do you have anything else related to this study that you want
to share with us?
B. SURVEY QUESTIONS
Thanks a lot for participating in this survey. In this survey, there
are questions about your activities on Facebook. It will take you
about 15 to 20 minutes to answer the questions. For the likert-scale
questions, please choose one number from 1 to 5, where 1 means
“strongly disagree” and 5 means “strongly agree”.
1. What is your age?
19 to 25
26 to 30
31 to 35
36 to 40
41 to 45
46 to 50
50 to 55
56 to 60
61 to 65
61 and more
2. What is your gender?
Female
Male
3. What is your highest level of education completed?
High school
Undergraduate
M.Sc
PhD
Other:
4. What is your employment status?
Employed
Student
Retired
Unemployed
Other:
5. How long have you owned a Facebook account?
Less than a year
1 to 2 years
2 to 3 years
3 to 4 years
4 to 5 years
More than 6 years
6. How often do you login into Facebook?
Every hour
Several times a day
Once a day
Several times a week
Once a week
Several times a month
Once a month
I have my account de-activated
Other:
7. Please go to your Facebook profile. How many friends do you
have on your Facebook profile?
Answer:
8. How often do you receive friendship request?
14
USENIX Association Tenth Symposium On Usable Privacy and Security 299
Everyday
At least once in 2-3 days
At least once a week
At least once a month
At least once every 6 months
At least once a year
At least once in every two week
Other:
9. Have you ever accepted a friendship request from somebody
who you do not know in real life or online communities?
Yes
No
10. Check all groups that you would likely befriend on Facebook:
Parents
Siblings
Relatives
Close friends
Friends
Acquaintance
Colleagues
Other:
11. If I distinguish the person from the picture, I would accept the
friendship request.
1
2
3
4
5
12. I usually become friends with:
Only females
Only males
I do not care about the gender
13. Knowing the number of mututal friends is enough for me to
accept a friendship request.
1
2
3
4
5
14. If I have mutual friends with the person who sent me a friend-
ship request, I would look at the closeness of those mutual
friends to me in addition to just the number of mutual friends.
1
2
3
4
5
15. If I know somebody in real world or online communities, I
would accept her/his friendship request on Facebook.
1
2
3
4
5
16. If I recognize someone’s name, I would accept her/his friend-
ship requests on Facebook.
1
2
3
4
5
17. ( ) of my friends actively share content on Facebook (1: a few,
5: almost all)
1 (a few)
2
3
4
5 (almost all)
18. I tend to accept friendship request from everybody, who was
born in the s Iame city as I.
1
2
3
4
5
19. I tend to accept friendship request from everybody, who lives
in the same city as I do.
1
2
3
4
5
20. I tend to accept friendship request from everybody, who have
attended the same school/university as I do.
1
2
3
4
5
21. Similarity in personal interests or hobbies is sufficient for me
to accept friendship requests.
1
2
3
4
5
22. I mostly accept friendship requests from people who share a
lot of content on Facebook.
1
2
3
4
5
23. Users who passively monitor others’ posts on Facebook does’nt
motivate me to post less content on Facebook.
1
15
300 Tenth Symposium On Usable Privacy and Security USENIX Association
2
3
4
5
24. I limit my activities on Facebook because I know my friends
are not interested in the content that I post.
1
2
3
4
5
25. I don’t tend to accept friendship requests sent from Facebook
applications.
1
2
3
4
5
26. I used to share more content since I felt more comfortable to
share content with my Facebook friends.
1
2
3
4
5
27. If my friends shared content irrelevant to me, I would remove
them from my friends list.
1
2
3
4
5
28. I don’t accept a friendship request if I have just common in-
terests or hobbies with the person who sent me friendship re-
quest.
1
2
3
4
5
29. I would accept friendship requests sent from a Facebook ap-
plication (for example a game) on behalf of others.
1
2
3
4
5
30. Who is a Facebook user that you do not want to have a friend-
ship connection with on Facebook?
Anybody who seems to be annoying (sending weird mes-
sage, irrelevant post, etc.) regardless of being known in
real life or not. 308
Anybody except people that are known to some extent
Anybody except for those that have strong connections
in real life
31. How would you define different levels of access for Facebook
friends?
Creating separate lists with different access levels
Using manual exemption feature for each shared content
I do not define different levels of access
16