500 likes | 660 Views
Web Privacy with P3P. Lorrie Faith Cranor P3P Specification Working Group Chair AT&T Labs-Research July 2002. http://lorrie.cranor.org/. Part I: The online privacy landscape. 2. Web privacy concerns Surveys How do they get my Data? Browser chatter Cookies 101 Online and offline merging
E N D
Web Privacy with P3P Lorrie Faith CranorP3P Specification Working Group ChairAT&T Labs-Research July 2002 http://lorrie.cranor.org/
Web privacy concerns Surveys How do they get my Data? Browser chatter Cookies 101 Online and offline merging Subpoenas Spyware Monitoring devices Solutions Privacy policies Voluntary guidelines Seal programs Chief privacy officers Laws and Regulations Software tools Software tools Outline Part I: The online privacy landscape
The Online Privacy Landscape: Privacy concerns Web privacy concerns • Data is often collected silently • Web allows large quantities of data to be collected inexpensively and unobtrusively • Data from multiple sources may be merged • Non-identifiable information can become identifiable when merged • Data collected for business purposes may be used in civil and criminal proceedings • Users given no meaningful choice • Few sites offer alternatives
The Online Privacy Landscape: Privacy concerns Privacy surveys find concerns • Increasingly people say they are concerned about online privacy (80-90% of US Net users) • Improved privacy protection is factor most likely to persuade non-Net users to go online • 27% of US Net users have abandoned online shopping carts due to privacy concerns • 64% of US Net users decided not to use a web site or make an online purchase due to privacy concerns • 34% of US Net users who do not buy online would buy online if they didn’t have privacy concerns
The Online Privacy Landscape: Privacy concerns Beyond concern • April 1999 Study: Beyond Concern:Understanding Net Users' Attitudes About Online Privacy by Cranor, Ackerman and Reagle (US panel results reported) http://www.research.att.com/projects/privacystudy/ • Internet users more likely to provide info when they are not identified • Some types of data more sensitive than others • Many factors important in decisions about information disclosure • Acceptance of persistent identifiers varies according to purpose • Internet users dislike automatic data transfer
The Online Privacy Landscape: Privacy concerns Few read privacy policies • 3% review online privacy policies carefully most of the time • Most likely to review policy before providing credit card info • Policies too time consuming to read and difficult to understand • 70% would prefer standard privacy policy format • Most interested in knowing about data sharing and how to get off marketing lists • People are more comfortable at sites that have privacy policies, even if they don’t read them
The Online Privacy Landscape: Privacy concerns Survey references • Mark S. Ackerman, Lorrie Faith Cranor and Joseph Reagle, Beyond Concern: Understanding Net Users’ Attitudes About Online Privacy, (AT&T Labs, April 1999), http://www.research.att.com/projects/privacystudy/ • Mary J. Culnan and George R. Milne, The Culnan-Milne Survey on Consumers & Online Privacy Notices: Summary of Responses, (December 2001), http://www.ftc.gov/bcp/workshops/glb/supporting/culnan-milne.pdf. • Cyber Dialogue, Cyber Dialogue Survey Data Reveals Lost Revenue for Retailers Due to Widespread Consumer Privacy Concerns, (Cyber Dialogue, November 7, 2001), http://www.cyberdialogue.com/news/releases/2001/11-07-uco-retail.html. • Forrester Research, Privacy Issues Inhibit Online Spending, (Forrester, October 3, 2001). • Louis Harris & Associates and Alan F. Westin, Commerce, Communication and Privacy Online (Louis Harris & Associates, 1997), http://www.privacyexchange.org/iss/surveys/computersurvey97.html • Louis Harris & Associates and Alan F. Westin. E-Commerce and Privacy, What Net Users Want, (Sponsored by Price Waterhouse and Privacy & American Business. P & AB, June 1998). http://www.privacyexchange.org/iss/surveys/ecommsum.html • Opinion Research Corporation and Alan F. Westin. “Freebies” and Privacy: What Net Users Think. Sponsored by Privacy & American Business. P & AB, July 1999. http://www.privacyexchange.org/iss/surveys/sr990714.html • Privacy Leadership Initiative, Privacy Notices Research Final Results, (Conducted by Harris Interactive, December 2001), http://www.ftc.gov/bcp/workshops/glb/supporting/harris%20results.pdf An extensive list of privacy surveys from around the world is available from http://www.privacyexchange.org/iss/surveys/surveys.html.
Browsers chatter about IP address, domain name, organization, Referring page Platform: O/S, browser What information is requested URLs and search terms Cookies To anyone who might be listening End servers System administrators Internet Service Providers Other third parties Advertising networks Anyone who might subpoena log files later The Online Privacy Landscape: How do they get my data? Browser Chatter
The Online Privacy Landscape: How do they get my data? Typical HTTP request with cookie GET /retail/searchresults.asp?qu=beer HTTP/1.0 Referer: http://www.us.buy.com/default.asp User-Agent: Mozilla/4.75 [en] (X11; U; NetBSD 1.5_ALPHA i386) Host: www.us.buy.com Accept: image/gif, image/jpeg, image/pjpeg, */* Accept-Language:en Cookie:buycountry=us; dcLocName=Basket; dcCatID=6773; dcLocID=6773; dcAd=buybasket; loc=; parentLocName=Basket; parentLoc=6773; ShopperManager%2F=ShopperManager%2F=66FUQULL0QBT8MMTVSC5MMNKBJFWDVH7; Store=107; Category=0
The Online Privacy Landscape: How do they get my data? Referer log problems • GET methods result in values in URL • These URLs are sent in the referer header to next host • Example: http://www.merchant.com/cgi_bin/order?name=Tom+Jones&address=here+there&credit+card=234876923234&PIN=1234&->index.html
The Online Privacy Landscape: How do they get my data? Cookies 101 • Cookies can be useful • Used like a staple to attach multiple parts of a form together • Used to identify you when you return to a web site so you don’t have to remember a password • Used to help web sites understand how people use them • Cookies can do unexpected things • Used to profile users and track their activities, especially across web sites
The Online Privacy Landscape: How do they get my data? How cookies work – the basics • A cookie stores a small string of characters • A web site asks your browser to “set” a cookie • Whenever you return to that site your browser sends the cookie back automatically Please store cookie xyzzy Here is cookie xyzzy site browser site browser First visit to site Later visits
Cookies are only sent back to the “site” that set them – but this may be any host in domain Sites setting cookies indicate path, domain, and expiration for cookies Cookies can store user info or a database key that is used to look up user info – either way the cookie enables info to be linked to the current browsing session The Online Privacy Landscape: How do they get my data? How cookies work – advanced Send me with requests for index.html on y.x.com for this session only Send me with any request to x.com until 2008 DatabaseUsers … Email … Visits … User=Joe Email=Joe@x.com Visits=13 User=4576904309
The Online Privacy Landscape: How do they get my data? Cookie terminology • Cookie Replay – sending a cookie back to a site • Session cookie – cookie replayed only during current browsing session • Persistent cookie – cookie replayed until expiration date • First-party cookie – cookie associated with the site the user requested • Third-party cookie – cookie associated with an image, ad, frame, or other content from a site with a different domain name that is embedded in the site the user requested • Browser interprets third-party cookie based on domain name, even if both domains are owned by the same company
The Online Privacy Landscape: How do they get my data? Web bugs • Invisible “images” (1-by-1 pixels, transparent) embedded in web pages and cause referer info and cookies to be transferred • Also called web beacons, clear gifs, tracker gifs,etc. • Work just like banner ads from ad networks, but you can’t see them unless you look at the code behind a web page • Also embedded in HTML formatted email messages, MS Word documents, etc. • For more info on web bugs see: http://www.privacyfoundation.org/resources/webbug.asp • For software to detect web bugs see: http://www.bugnosis.org
The Online Privacy Landscape: How do they get my data? How data can be linked • Every time the same cookie is replayed to a site, the site may add information to the record associated with that cookie • Number of times you visit a link, time, date • What page you visit • What page you visited last • Information you type into a web form • If multiple cookies are replayed together, they are usually logged together, effectively linking their data • Narrow scoped cookie might get logged with broad scoped cookie
The Online Privacy Landscape: How do they get my data? search for medical information buy CD replay cookie set cookie Ad Ad Ad networks Ad companycan get yourname and address fromCD order andlink them to your search Search Service CD Store
Personal data: Email address Full name Mailing address (street, city, state, and Zip code) Phone number Transactional data: Details of plane trips Search phrases used at search engines Health conditions The Online Privacy Landscape: How do they get my data? What ad networks may know… “It was not necessary for me to click on the banner ads for information to be sent to DoubleClick servers.” – Richard M. Smith
The Online Privacy Landscape: How do they get my data? Online and offline merging • In November 1999, DoubleClick purchased Abacus Direct, a company possessing detailed consumer profiles on more than 90% of US households. • In mid-February 2000 DoubleClick announced plans to merge “anonymous” online data with personal information obtained from offline databases • By the first week in March 2000 the plans were put on hold • Stock dropped from $125 (12/99) to $80 (03/00)
The Online Privacy Landscape: How do they get my data? Offline data goes online… The Cranor family’s 25 most frequentgrocerypurchases (sorted by nutritional value)!
The Online Privacy Landscape: How do they get my data? Subpoenas • Data on online activities is increasingly of interest in civil and criminal cases • The only way to avoid subpoenas is to not have data • In the US, your files on your computer in your home have much greater legal protection that your files stored on a server on the network
The Online Privacy Landscape: How do they get my data? Spyware • Spyware: Software that employs a user's Internet connection, without their knowledge or explicit permission, to collect information • Most products use pseudonymous, but unique ID • Over 800 known freeware and shareware products contain Spyware, for example: • Beeline Search Utility • GoZilla Download Manager • Comet Cursor • Often difficult to uninstall! • Anti-Spyware Sites: • http://grc.com/oo/spyware.htm • http://www.adcop.org/smallfish • http://www.spychecker.com • http://cexx.org/adware.htm
The Online Privacy Landscape: How do they get my data? Devices that monitor you Creative Labs Nomad JukeBox Music transfer software reportsall uploads to Creative Labs. http://www.nomadworld.com Sony eMarker Lets you figure out the artitst and title of songs you hear on the radio. And keeps a personal log of all the music you like on the emarker Web site. http://www.emarker.com Sportbrain Monitors daily workout. Customphone cradle uploads data to company Web site for analysis. http://www.sportbrain.com/ :CueCat Keeps personal log of advertisements you‘re interested in. http://www.crq.com/cuecat.html See http://www.privacyfoundation.org/
The Online Privacy Landscape: Solutions Some solutions • Privacy policies • Voluntary guidelines and codes of conduct • Seal programs • Chief privacy officers • Laws and regulations • Software tools
The Online Privacy Landscape: Solutions Privacy policies • Policies let consumers know about site’s privacy practices • Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with • The presence or privacy policies increases consumer trust
The Online Privacy Landscape: Solutions Privacy policy problems • BUT policies are often • difficult to understand • hard to find • take a long time to read • change without notice
The Online Privacy Landscape: Solutions Voluntary guidelines • Online Privacy Alliancehttp://www.privacyalliance.org • Direct Marketing Association Privacy Promise http://www.thedma.org/library/privacy/privacypromise.shtml • Network Advertising Initiative Principles http://www.networkadvertising.org/
The Online Privacy Landscape: Solutions OECD fair information principles http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM • Collection limitation • Data quality • Purpose specification • Use limitation • Security safeguards • Openness • Individual participation • Accountability
The Online Privacy Landscape: Solutions Simplified principles • Notice and disclosure • Choice and consent • Data security • Data quality and access • Recourse and remedies US Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), http://www.ftc.gov/reports/privacy3/
The Online Privacy Landscape: Solutions Seal programs • TRUSTe – http://www.truste.org • BBBOnline – http://www.bbbonline.org • CPA WebTrust – http://www.cpawebtrust.org/ • Japanese Privacy Mark http://www.jipdec.or.jp/security/privacy/
The Online Privacy Landscape: Solutions Seal program problems • Certify only compliance with stated policy • Limited ability to detect non-compliance • Minimal privacy requirements • Don’t address privacy issues that go beyond the web site • Nonetheless, reporting requirements are forcing licensees to review their own policies and practices and think carefully before introducing policy changes
The Online Privacy Landscape: Solutions Chief privacy officers • Companies are increasingly appointing CPOs to have a central point of contact for privacy concerns • Role of CPO varies in each company • Draft privacy policy • Respond to customer concerns • Educate employees about company privacy policy • Review new products and services for compliance with privacy policy • Develop new initiatives to keep company out front on privacy issue • Monitor pending privacy legislation
The Online Privacy Landscape: Solutions Laws and regulations • Privacy laws and regulations vary widely throughout the world • US has mostly sector-specific laws, with relatively minimal protections • Federal Trade Commission has jurisdiction over fraud and deceptive practices • Federal Communications Commission regulates telecommunications • European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws • Privacy commissions in each country (some countries have national and state commissions) • Many European companies non-compliant with privacy laws (2002 study found majority of UK web sites non-compliant)
The Online Privacy Landscape: Solutions Some US privacy laws • Bank Secrecy Act, 1970 • Fair Credit Reporting Act, 1971 • Privacy Act, 1974 • Right to Financial Privacy Act, 1978 • Cable TV Privacy Act, 1984 • Video Privacy Protection Act, 1988 • Family Educational Right to Privacy Act, 1993 • Electronic Communications Privacy Act, 1994 • Freedom of Information Act, 1966, 1991, 1996
The Online Privacy Landscape: Solutions US law – recent additions • HIPAA (Health Insurance Portability and Accountability Act, 1996) • When implemented, will protect medical records and other individually identifiable health information • COPPA (Children‘s Online Privacy Protection Act, 1998) • Web sites that target children must obtain parental consent before collecting personal information from children under the age of 13 • GLB (Gramm-Leach-Bliley-Act, 1999) • Requires privacy policy disclosure and opt-out mechanisms from financial service institutions
The Online Privacy Landscape: Solutions Safe harbor • Membership • US companies self-certify adherance to requirements • Dept. of Commerce maintains signatory list http://www.export.gov/safeharbor/ • Signatories must provide • notice of data collected, purposes, and recipients • choice of opt-out of 3rd-party transfers, opt-in for sensitive data • access rights to delete or edit inaccurate information • security for storage of collected data • enforcement mechanisms for individual complaints • Approved July 26, 2000 by EU • reserves right to renegotiate if remedies for EU citizens prove to be inadequate
The Online Privacy Landscape: Solutions Implications of Directive for web sites • European Union Data Directive prohibits secondary uses of data without informed consent • Creating personally-identifiable online profiles will have to be opt-in in most cases • Upfront notice must be given when data is collected – no web bugs • No transfer of data to non-EU countries unless there is adequate privacy protection
The Online Privacy Landscape: Solutions Data protectionagencies • Australia: http://www.privacy.gov.au/ • Canada: http://www.privcom.gc.ca/ • France: http://www.cnil.fr/ • Germany: http://www.bfd.bund.de/ • Hong Kong: http://www.pco.org.hk/ • Italy: http://www.privacy.it/ • Spain: http://www.ag-protecciondatos.es/ • Switzerland: http://www.edsb.ch/ • UK: http://www.dataprotection.gov.uk/ … And many more
Encryption tools – prevent others from listening in on your communications File encryption Email encryption Encrypted network connections Anonymity and pseudonymity tools – prevent your actions from being linked to you Anonymizing proxies Mix Networks and similar web anonymity tools Anonymous email Information and transparency tools – make informed choices about how your information will be used Identity management tools P3P Filters Cookie cutters Child protection software Other tools Computer “cleaners” Privacy suites Personal firewalls The Online Privacy Landscape: Solutions Software tools
The Online Privacy Landscape: Solutions Request Request Reply Reply The Anonymizer • Acts as a proxy for users • Hides information from end servers • Sees all web traffic • Adds ads to pages (free service; subscription service also available) http://www.anonymizer.com Anonymizer Client Server
The Online Privacy Landscape: Solutions msg dest,msg B, C kC kB kA kC dest,msg C kC kB dest,msg kX = encrypted with public key of Mix X Mixes [Chaum81] Sender Destination Mix C Mix A Mix B Sender routes message randomly through network of “Mixes”, using layered public-key encryption.
The Online Privacy Landscape: Solutions Crowds • Users join a Crowd of other users • Web requests from the crowd cannot be linked to any individual • Protection from • end servers • other crowd members • system administrators • eavesdroppers • First system to hide data shadow on the web without trusting a central authority http://www.research.att.com/projects/crowds/
The Online Privacy Landscape: Solutions Anonymous email • Anonymous remailers allow people to send email anonymously • Similar to anonymous web proxies • Some can be chained and work like mixes http://anon.efga.org/~rlist
The Online Privacy Landscape: Solutions Filters • Cookie Cutters • Block cookies, allow for more fine-grained cookie control, etc. • Some also filter ads, referer header, and browser chatter • http://www.junkbusters.com/ht/en/links.html#measures • Child Protection Software • Block the transmission of certain information via email, chat rooms, or web forms when child is using computer • Limit who a child can email or chat with • http://www.getnetwise.org/
The Online Privacy Landscape: Solutions Anonymizing agent Regulatoryandself-regulatoryframework Cookie cutter Secure channel Regulatoryandself-regulatoryframework P3P user agent Privacy tools The Internet User Service
http://www.aclu.org/ http://www.cdt.org/ http://www.cpsr.org/ http://www.consumerprivacyguide.org/ http://www.eff.org/ http://www.epic.org/ http://www.healthprivacy.org/ http://www.junkbusters.com/ http://www.privacyalliance.org/ http://www.pandab.org/ http://www.privacyexchange.org/ http://www.vortex.com/privacy.html http://www.privacyfoundation.org/ http://www.privacy.org/pi/ http://www.privacyjournal.net/ http://www.understandingprivacy.org/ http://www.privacy.org/ http://www.privacyplace.com/ http://www.privacyrights.org/ http://www.privacytimes.com/ http://www.anu.edu.au/people/Roger.Clarke/DV/index.html http://headlines.yahoo.com/Full_Coverage/Tech/Internet_Privacy/ The Online Privacy Landscape Privacy websites
The Online Privacy Landscape Books • Web Privacy with P3P by Lorrie Faith Cranor • Database Nation by Simson Garfinkel • The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments by Marc Rotenberg