From the "right to be left alone" to the "right to selective disclosure",
privacy has long been thought as the control individuals have over the
information they share and reveal about themselves. However, in a world that is
more connected than ever, the choices of the people we interact with
increasingly affect our privacy. This forces us to rethink our definition of
privacy. We here formalize and study, as local and global node- and
edge-observability, Bloustein's concept of group privacy. We prove
edge-observability to be independent of the graph structure, while
node-observability depends only on the degree distribution of the graph. We
show on synthetic datasets that, for attacks spanning several hops such as
those implemented by social networks and current US laws, the presence of hubs
increases node-observability while a high clustering coefficient decreases it,
at fixed density. We then study the edge-observability of a large real-world
mobile phone dataset over a month and show that, even under the restricted
two-hops rule, compromising as little as 1% of the nodes leads to observing up
to 46% of all communications in the network. More worrisome, we also show that
on average 36\% of each person's communications would be locally
edge-observable under the same rule. Finally, we use real sensing data to show
how people living in cities are vulnerable to distributed node-observability
attacks. Using a smartphone app to compromise 1\% of the population, an
attacker could monitor the location of more than half of London's population.
Taken together, our results show that the current individual-centric approach
to privacy and data protection does not encompass the realities of modern life.
This makes us---as a society---vulnerable to large-scale surveillance attacks
which we need to develop protections against