330 likes | 337 Views
This article explores the privacy concerns related to online data collection, including the use of cookies, server logs, and profiling. It discusses the risks and implications of merging online and offline data and highlights international and children's privacy issues.
E N D
Privacy Implications of Online Data Collection DIMACS Workshop Lorrie Faith Cranor AT&T Labs-Research http://www.research.att.com/~lorrie/
Recent headlines Activists charge DoubleClick double cross Websites Pull Back From Doubleclick Doubleclick shelves plan to tag Web surfers Senators Raise Privacy Issue In AOL-Time Warner Hearing • Clinton Issues Privacy Warning To Technology Leaders
Online profiling in the comics! March 1, 2000 Cathy
How do they get my data? • Browsers advertise • IP address, domain name, organization, referring page • platform: O/S, browser • which information is requested • Information available to • end servers • local system administrators • other third parties (e.g., doubleclick.com) • Cookies, Web bugs, advertising networks
Browsers like to chatter • A typical HTTP request GET http://www.amazon.com/ HTTP/1.0 User-Agent: Mozilla/3.01 (X11; I; SunOS 4.1.4 sun4m) Host: www.amazon.com Referer: http://www.alcoholics-anonymous.org/ Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Cookie: session-id-time=868867200; session-id=6828-2461327-649945; group_discount_cookie=F
Servers record what they hear • Server logs • store host, time, date, requested URL, referrer ppp.bu.edu - - [09/Dec/1996:20:33:22 -500] “Get /cgi-bin/wwwais?hemoglobin+geneHTTP/1.0” 200 527 • affiliation: Boston University, probably working from home, probably student or faculty in biology
What about cookies? • Cookies can be useful • used like a staple to attach multiple parts of a form together • used to identify you when you return to a web site so you don’t have to remember a password • used to help web sites understand how people use them • Cookies can be harmful • used to profile users and track their activities, especially across web sites
Search formedicalinformation Buy book Setcookie Readcookie Searchengine Book Store Ad Ad YOU Ad companycan get yourname and address frombook order andlink them to your search
Referer log problems • GET methods result in values in URL • These URLs are sent in the referer header to next host • Example: http://www.merchant.com/cgi_bin/order?name=Tom+Jones&address=here+there&credit+card=234876923234&PIN=1234& -> index.html
What DoubleClick knows… … about Richard M. Smith • Personal data: • My Email address • My full name • My mailing address (street, city, state, and Zip code) • My phone number • Transactional data: • Names of VHS movies I am interesting in buying • Details of a plane trip • Search phrases used at search engines • Health conditions
No clicks required “It was not necessary for me to click on the banner ads for information to be sent to DoubleClick servers.” – Richard M. Smith http://www.tiac.net/users/smiths/privacy/banads.htm
DoubleClick examples AltaVista Yellow Pages – Complete home address (Fixed January 2000) Banner ad URL: http://live.av.com/scripts/search.dll?ep= 7&gca=address&orderby=distance&sstreet=172+mason+terr &scity=brookline&sstate=MA&szip=02446&scountry= USA&query=sinsa&qname=&sic=&ck=&userid=130782922& userpw=.&uh=130782922,0,&ccity=brookline&cstate=MA&ver =hb1.2.2 Travelocity – Email address Referring URL:http://dps1.travelocity.com/promoptout.ctl?email=smiths@TIAC.NET
Merging online and offline data • In mid-February DoubleClick announced plans to merge “anonymous” online data with personal information obtained from offline databases • By the first week in March the plans were put on hold
Public concern • April 1997 Louis Harris Poll of Internet users • 5% say they have been the victim of an invasion of privacy while on the Internet • 53% say they are concerned that information about which sites they visit will be linked to their email address and disclosed without their knowledge • See also “Beyond Concern” study:http://www.research.att.com/projects/privacystudy/
International issues • European Union Data Directive prohibits secondary uses of data without informed consent • Creating personally-identifiable online profiles will have to be opt-in in most cases • Upfront notice must be given when data is collected – no web bugs • No transfer of data to non-EU countries unless there is adequate privacy protection
Children's issues • Children’s Online Privacy Protection Act (COPPA) requires parental consent before collecting personally-identifiable data from children online
Subpoenas • Data on online activities is increasingly of interest in civil and criminal cases • The only way to avoid subpoenas is to not have data • Your files on your computer in your home have much greater legal protection that your files stored on a server on the network
Privacy concerns • Data is often collected silently • Web allows lots of data to be collected easily, cheaply, unobtrusively and automatically • Individuals not given meaningful choice • Data from many sources may be merged • Even non-identifiable daa can become identifiable when merged • Data collected for business purposes may be used in civil and criminal proceedings
Some solutions • Privacy policies • Voluntary guidelines and codes of conduct • Seal programs • Infomediaries • Technologies for facilitating notice and choice • P3P
P3P1.0 – A First Step • Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format • Can be deployed using existing web servers • This will enable users to use tools that: • Display symbols, play sounds, or provide snapshots of sites’ policies • Display symbols or prompts after comparing policies with user preferences
P3P is a Partial Solution • P3P1.0 helps users understand privacy policies but is not a complete solution • Seal programs and regulations help ensure that sites comply with their policies • Anonymity tools reduce the amount of information revealed while browsing • Encryption tools secure data in transit and storage • Laws and codes of practice provide a base line level for acceptable policies
Implementing a P3P 1.0 Server • Formulate privacy policy • Translate privacy policy into P3P format • Place P3P policy on web site • One policy for entire site or multiple policies for different parts of the site • Associate policy with web resources: • Configure server to insert P3P header with link to P3P policy; or • Insert link to P3P policy in HTML content
GET /x.html HTTP/1.1 Host: foo.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page A simple HTTP transaction WebServer
HTTP/1.1 200 OK Opt: http://www.w3.org/2000/P3Pv1/; ns=11 11-Policy: http://foo.com/p3p.xml Content-Type: text/html . . . Send web page GET /x.html HTTP/1.1 Host: foo.com . . . Request web page GET /p3p.xml HTTP/1.1 Host: foo.com . . . Request P3P Policy HTTP/1.1 200 OK Content-Type: text/html . . . Send web page HTTP/1.1 200 OK . . . Send P3P Policy A simple HTTP transaction With P3P 1.0 added WebServer
Implementing a P3P1.0 Client • Client can be implemented as browser, proxy, plugg-in, part of an electronic wallet, java applet, javascript, etc. • Can be entirely server side • Look for link to P3P policy and fetch policy with HTTP GET request • Parse policy and take appropriate action • Display symbol, play sound, prompt user, etc. • Action can optionally be based on user preferences • Action can optionally allow data to be automatically filled into form or transferred from electronic wallet
Symbols for how data is used complete transaction R&D Customization marketing Symbols to indicate whether data is shared Symbols to indicate site has privacy seal Symbols to indicate compliance with laws and regulations complies with German law complies with German law if user gives informed consent does not comply with German law Symbols to indicate match/mismatch with user preferences information about cause of mismatch on mouse-over Some P3P Client Ideas
P3P Policies • Machine-readable (XML) version of web site privacy policies • Use P3P Vocabulary to express data practices • Use P3P Base Data Set to express type of data collected • Capture common elements of privacy policies but may not express everything (sites may provide further explanation in human-readable policies)
Who is collecting data? What data is collected? For what purpose will data be used? Is there an ability to change preferences about (opt-in or opt-out) of some data uses? Who are the data recipients (anyone beyond the data collector)? To what information does the data collector provide access? What is the data retention policy? How will disputes about the policy be resolved? Where is the human-readable privacy policy? The P3P Vocabulary
Example Privacy Policy TheCoolCatalog of 123 Main Street, Bethesda, MD 20814, USA, makes the following statement for the Web page at http://www.TheCoolCatalog.com/catalog/. We have a privacy seal from PrivacySeal.org. Our privacy policy is posted at http://www.TheCoolCatalog.com/PrivacyPractice.html. We do not provide access capabilities to information we have about you. We use cookies and collect your gender, information about your clothing preferences, and (optionally) your home address to customize our entry catalog pages and for our own research and product development. We retain this information indefinitely. We also maintain server logs that include information about visits to the http://www.TheCoolCatalog.com/catalog/ page, and the types of browsers our visitors use. We use this information in order to maintain and improve our web site. We retain this information indefinitely.
<POLICY xmlns="http://www.w3.org/2000/P3Pv1" entity=“TheCoolCatalog, 123 Main Street, Bethesda, MD 20814, USA"> <DISPUTES-GROUP><DISPUTES resolution-type="independent" service="http://www.PrivacySeal.org" description="PrivacySeal.org" image="http://www.PrivacySeal.org/Logo.gif"/></DISPUTES-GROUP> <DISCLOSURE discuri="http://www.TheCoolCatalog.com/PrivacyPractice.html" access="none"/> <STATEMENT> <CONSEQUENCE-GROUP><CONSEQUENCE>a site with clothes you would appreciate</CONSEQUENCE></CONSEQUENCE-GROUP> <RECIPIENT><ours/></RECIPIENT><PURPOSE><custom/><develop/></PURPOSE> <RETENTION><indefinitely/></RETENTION> <DATA-GROUP> <DATA name="dynamic.cookies" category="state"/> <DATA name="dynamic.miscdata" category="preference"/> <DATA name="user.gender"/> <DATA name="user.home." optional="yes"/> </DATA-GROUP> </STATEMENT> <STATEMENT> <RECIPIENT><ours/></RECIPIENT> <PURPOSE><admin/><develop/></PURPOSE> <RETENTION><indefinitely/></RETENTION> <DATA-GROUP> <DATA name="dynamic.clickstream.server"/> <DATA name="dynamic.http.useragent"/> </DATA-GROUP> </STATEMENT> </POLICY> P3P/XML Encoding
PrivacyBankbookmark PrivacyBank.Com
PrivacyBankbookmark Infomediary example: PrivacyBank
Challenge • Data is useful for research, targeting potential customers, building relationships with customers, etc. • Privacy laws make data collection more difficult • Data collectors have personal privacy concerns too • How can we collect data in ways that reduce privacy concerns while remaining useful for research and business?