1 / 51

Developing Online Privacy Standards A View From the Trenches

Developing Online Privacy Standards A View From the Trenches. Lorrie Faith Cranor AT&T Labs-Research http://lorrie.cranor.org/. Outline. Online privacy concerns Introduction to P3P P3P implementations So why did it take so long?. Cathy. January 21, 2001. Online privacy – key concerns.

liesel
Download Presentation

Developing Online Privacy Standards A View From the Trenches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Developing Online Privacy StandardsA View From the Trenches Lorrie Faith CranorAT&T Labs-Researchhttp://lorrie.cranor.org/

  2. Outline • Online privacy concerns • Introduction to P3P • P3P implementations • So why did it take so long?

  3. Cathy January 21, 2001

  4. Online privacy – key concerns • Data is often collected silently • Web allows lots of data to be collected easily, cheaply, unobtrusively and automatically • Individuals not given meaningful choice • Individuals don’t know what data is being collected or how it is being used, and often assume the worst • Data from many sources may be merged • Even non-identifiable data can become identifiable when merged • Data collected for business purposes may be used in civil and criminal proceedings

  5. Some solutions • Privacy policies • Voluntary guidelines and codes of conduct • Seal programs • Chief privacy officers • Laws and regulations • Software tools

  6. Privacy policies • Policies let consumers know about site’s privacy practices • Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with • The presence or privacy policies increases consumer trust • BUT policies are often difficult to understand, hard to find, and take a long time to read • Many policies are changed frequently without notice

  7. Voluntary guidelines • Online Privacy Alliancehttp://www.privacyalliance.org • Direct Marketing Association Privacy Promise http://www.thedma.org/library/privacy/privacypromise.shtml • Network Advertising Initiative Principles http://www.networkadvertising.org/

  8. OECD fair information principles http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM • Collection limitation • Data quality • Purpose specification • Use limitation • Security safeguards • Openness • Individual participation • Accountability

  9. Simplified principles • Notice and disclosure • Choice and consent • Data security • Data quality and access • Recourse and remedies

  10. Seal Programs • TRUSTe – http://www.truste.org • BBBOnline – http://www.bbbonline.org • CPA WebTrust – http://www.cpawebtrust.org/ • Japanese Privacy Mark http://www.jipdec.or.jp/security/privacy/

  11. Chief Privacy Officers • Companies are increasingly appointing CPOs to have a central point of contact for privacy concerns • Role of CPO varies in each company • Draft privacy policy • Respond to customer concerns • Educate employees about company privacy policy • Review new products and services for compliance with privacy policy • Develop new initiatives to keep company out front on privacy issue • Monitor pending privacy legislation

  12. Laws and regulations • Privacy laws and regulations vary widely throughout the world • US has mostly sector-specific laws, with relatively minimal protections • Federal Trade Commission has jurisdiction over fraud and deceptive practices • Federal Communications Commission regulates telecommunications • European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws • Privacy commissions in each country (some countries have national and state commissions)

  13. Anonymity and pseudonymity tools Anonymizing proxies Mix Networks and similar web anonymity tools Onion routing Crowds Freedom Anonymous email Encryption tools File encryption Email encryption Encrypted network connections Filters Cookie cutters Child protection software Information and transparency tools Identity management tools P3P Other tools Privacy-friendly search engines Computer “cleaners” Tools to facilitate access Software tools

  14. Platform for Privacy Preferences Project (P3P) • Developed by the World Wide Web Consortium (W3C) http://www.w3.org/p3p/ • Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format • Can be deployed using existing web servers • This will enable the development of tools (built into browsers or separate applications) that: • Provide snapshots of sites’ policies • Compare policies with user preferences • Alert and advise the user

  15. P3P is part of the solution P3P1.0 helps users understand privacy policies but is not a complete solution • Seal programs and regulations • help ensure that sites comply with their policies • Anonymity tools • reduce the amount of information revealed while browsing • Encryption tools • secure data in transit and storage • Laws and codes of practice • provide a base line level for acceptable policies

  16. How P3P works • P3P provides a standard XML format that web sites use to encode their privacy policies • Sites also provide “policy reference files” to indicate which policy applies to which part of the site • No special server software required

  17. GET /index.html HTTP/1.1 Host: www.att.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page A simple HTTP transaction WebServer

  18. GET /w3c/p3p.xml HTTP/1.1 Host: www.att.com Request Policy Reference File Send Policy Reference File Request P3P Policy Send P3P Policy GET /index.html HTTP/1.1 Host: www.att.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page … with P3P 1.0 added WebServer

  19. Using P3P on your Web site • Formulate privacy policy • Translate privacy policy into P3P format • Use a policy generator tool • Place P3P policy on web site • One policy for entire site or multiple policies for different parts of the site • Associate policy with web resources: • Place P3P policy reference file (which identifies location of relevant policy file) at well-known location on server; • Configure server to insert P3P header with link to P3P policy reference file; or • Insert link to P3P policy reference file in HTML content

  20. Who is collecting data? What data is collected? For what purpose will data be used? Is there an ability to opt-in or opt-out of some data uses? Who are the data recipients (anyone beyond the data collector)? To what information does the data collector provide access? What is the data retention policy? How will disputes about the policy be resolved? Where is the human-readable privacy policy? The P3P vocabulary

  21. Transparency • P3P clients can check a privacy policy each time it changes • P3P clients can check privacy policies on all objects in a web page, including ads and invisible images http://www.att.com/accessatt/ http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE

  22. User preferences • P3P spec does not specify how users should configure their preferences or what user agent should do • Some guidelines are offered in Guiding Principles • A separate W3C specification – A P3P Preference Exchange Language (APPEL) provides a standard format for encoding preferences • Not required for P3P user agent implementations

  23. Types of P3P user agent tools • On-demand or continuous • Some tools only check for P3P policies when the user requests, others check automatically at every site • Generic or customized • Some tools simply describe a site’s policy in some user friendly format – others are customizable and can compare the policy with a user’s preferences • Information-only or automatic action • Some tools simply inform users about site policies, while others may actively block cookies, referrers, etc. or take other actions at sites that don’t match user’s preferences • Built-in, add-on, or service • Some tools may be built into web browsers or other software, others are designed as plug-ins or other add-ons, and others may be provided as part of an ISP or other service

  24. Other types of P3P tools • P3P validators • Check a site’s P3P policy for valid syntax • Policy generators • Generate P3P policies and policy reference files for web sites • Web site management tools • Assist sites in deploying P3P across the site, making sure forms are consistent with P3P policy, etc. • Search and comparison tools • Compare privacy policies across multiple web sites – perhaps built into search engines

  25. P3P in IE6 Initial focus is on P3P policies for cookies Privacy icon on status bar

  26. AT&T WorldNet Privacy Tool • Testing in WorldNet Beta club later this month • Future FREE public release • http://privacy.research.att.com/

  27. Chirping bird is privacy indicator

  28. Click on the bird for more info

  29. Privacy policy summary - mismatch

  30. What is unique about this? • Automatic processing done for all web page components, not just cookies • Optional pop-up alerts before submitting forms at sites that don’t match user preferences • Automatic processing reads full P3P policy, not just compact policies • Privacy icon/button displayed at all sites, not just “unsatisfactory” sites • Privacy icon/button doesn’t disappear at sites with pop-ups, no browser toolbar, etc. • Many customization choices for users • P3P language simplified for easier understanding

  31. So why has it taken so long?

  32. In the beginning… • There was the Platform for Internet Content Selection (PICS) • A system for creating rating systems and labeling web sites • Developed by the World Wide Web Consortium (W3C) • Designed primarily so parents could filter content they found inappropriate for their children • Flexible enough to support almost any kind of rating system

  33. How about PICS for privacy? • In 1996 the US Congress and Federal Trade Commission became aware of online privacy concerns • Industry groups began to discuss a strategy for preventing onerous legislation • Those involved with the PICS project suggested that it be used to help people maintain control of their personal info

  34. But why stop there? • Don’t just label, negotiate! • And digitally sign agreements • And automatically enforce the agreements • And make it more convenient to store and transfer personal info • And much much more . . . . . . And so we began work on P3P

  35. P3P1.0

  36. Developing the P3P vocabulary Examples of difficulties • Finding the right degree of granularity • Getting agreement between privacy advocates and industry lawyers • Getting agreement between North Americans and Europeans (and Asians, Australians, etc.) • What is personally identifiable information? • Is IP address personally identifiable? • … and many more….

  37. Defining a Reasonable Grammar • There are many pieces of privacy-related information that could be included, how do we know if grammar is expressive enough? • Could the Web site use the grammar (and vocabulary) to clearly express that its practices meet legal requirements? • Does the grammar provide the ability to express enough information such that a third party could issue recommended settings that are meaningful to users?

  38. Math Science English Spelling History French Spanish Gym Art Music Drama A B B+ D- C A- F A+ B- C B Rating Systems and Vocabularies

  39. Descriptive Versus Subjective Many variables complex simple Few variables Subjective Descriptive L. Cranor and J. Reagle. Designing a Social Protocol: Lessons Learned from the Platform for Privacy Preferences. In Jeffrey K. MacKie-Mason and David Waterman, eds., Telephony, the Internet, and the Media. Mahwah: Lawrence Erlbaum Associates, 1998. [Paper presented at the Telecommunications Policy Research Conference, Alexandria, VA, September 27-29 1997. ]

  40. ? Can’t derive descriptive from subjective Characters not well developed Gratuitous sex and violence Bad acting? Boring plot? Bad script? Dull characters? Unbelievable premise? Unoriginal? Too much violence? Not enough violence?

  41. Recommended Settings • Overlay a simpler subjective vocabulary on top of a more complicated descriptive one • Users can plug-in recommended settings as canned configuration files GoodMouseclickings Great Privacy NearlyAnonymousSurfing Basic Privacy

  42. AT&T preference settings Health or medical information Financial or purchase information Personally identifiable information Non-personally identifiable information Import and export settings

  43. The Myth of Internet Time • Internet time is fast, but most people don’t operate on Internet time • Corollary: Most standards bodies don’t operate on Internet time • Corollary: Most companies don’t operate on Internet time • Corollary: Most governments don’t operate on Internet time • Don’t expect anything to really happen in Internet time

  44. Don’t rely on future inventions • Standards and technologies that are said to be just around the corner are often miles away • And Internet time doesn’t change that

  45. But time is a funny thing… • Overall, this specification took a really long time (~5 years) • But the individual decisions that had to be made to create this specification were each made pretty quickly (~2 weeks) • In order to participate effectively in this process, people had to pay close attention and be prepared to review proposals in <2 weeks

  46. Other problems • The evolving W3C process • Ever changing working group membership and W3C staff representatives • Patent problems • Getting the attention of browser implementers • Making the specification work efficiently within existing infrastructure

  47. If you build it, will they come? Some lessons learned… • A good design is not sufficient • Think about deployment scenarios and adoption strategies from the beginning • Get buy-in from those with the resources and/or power to make things happen • Don’t design a kitchen when all people are willing to build right now is a toaster

More Related