Transcript Online privacy - Yale University

Online Privacy
ECON 425/563 // CPSC 455/555
NOVEMBER 6, 2008
Outline
 Large amounts of sensitive information
flow around the web.
 Privacy-enhancing technology has been
developed and deployed (example:
P3P).
 Economic approaches to the
management of private information
(Acknowledgements: L. Cranor, C. Lu, and
H. Varian)
2
Online privacy in the comics!
Cathy
February 25, 2000
3
Why is Cathy concerned?
Cathy
March 1, 2000
4
How did Irving find this out?
He snooped her email
He looked at the files on her computer
He observed the “chatter” sent by her
browser
He set cookies through banner ads and
“web bugs” that allowed him to track
her activities across web sites
5
What do browsers chatter about?
 Browsers chatter
about
IP address, domain
name, organization,
Referring page
Platform: O/S,
browser
What information is
requested
 URLs and search terms
Cookies
 To anyone who might
be listening
End servers
System administrators
Internet Service
Providers
Other third parties
 Advertising networks
Anyone who might
subpoena log files
later
6
A typical HTTP request
GET /retail/searchresults.asp?qu=beer HTTP/1.0
Referer: http://www.us.buy.com/default.asp
User-Agent: Mozilla/4.75 [en] (X11; U; NetBSD
1.5_ALPHA i386)
Host: www.us.buy.com
Accept: image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en
Cookie: buycountry=us; dcLocName=Basket;
dcCatID=6773; dcLocID=6773; dcAd=buybasket;
loc=; parentLocName=Basket; parentLoc=6773;
ShopperManager%2F=ShopperManager%2F=66FUQ
ULL0QBT8MMTVSC5MMNKBJFWDVH7; Store=107;
Category=0
7
What about cookies?
 Cookies can be useful
 used like a staple to attach
multiple parts of a form
together
 used to identify you when
you return to a web site so
you don’t have to
remember a password
 used to help web sites
understand how people use
them
 Cookies can do
unexpected things
 used to profile users and
track their activities,
especially across web sites
8
How do cookies work?
 A cookie stores a small string of characters
 A web site asks your browser to “set” a cookie
 Whenever you return to that site your browser sends
the cookie back automatically
 Cookies are only sent back to the site that set them
Please store
cookie xyzzy
site
Here is cookie
xyzzy
browser
First visit to site
site
browser
Later visits
9
YOU
Search for
medical
information
Buy book
Set
cookie
Read
cookie
Ad
Search
engine
Ad
Ad company
can get your
name and
address from
book order and
link them to
your search
Book
Store
10
Web bugs
 Invisible “images” embedded in web pages
that cause cookies to be transferred
 Work just like banner ads from ad networks,
but you can’t see them unless you look at the
code behind a web page
 Also embedded in HTML formatted email
messages
For more info on web bugs see:
http://www.privacyfoundation.org/
education/webbug.html
11
Referer log problems
GET methods result in values in URL
These URLs are sent in the referer
header to next host
Example:
http://www.merchant.com/cgi_bin/o
rder?name=Tom+Jones&address=her
e+there&credit+card=23487692323
4&PIN=1234& -> index.html
12
A Technological Approach
The Platform for Privacy Preferences
(P3P) is a standard, computer-readable
format for privacy policies and a
protocol allowing web browsers and
other tools to read and process privacy
policies automatically.
13
Who created P3P?
 World Wide Web Consortium (W3C) – a
nonprofit, industry-supported consortium
including researchers and engineers from
over 420 institutions.
 Participants in the development of P3P came
from around the world, including
representatives from industry, government,
nonprofit organizations, and academia.
14
Why was P3P created?
 To increase consumer trust.
“If the ability to spend is the fuel that propels the economic
engine, then consumers’ trust and confidence in that engine is
the lubricant.”
 To protect privacy by allowing informed
choice.
Privacy is the ability of individuals to exercise control over the
disclosure and subsequent uses of their personal information.
Hence notice is fundamental to the individual’s ability to protect
his or her privacy.
 To make choice easy.
Privacy policies are difficult and time-consuming to locate, to
read, and to understand; and they change frequently without
notice.
15
How does P3P work? (1)
1. User sets
personal
privacy
preferences on
a tool such as
a browser.
16
How does P3P work? (2)
2. Browser requests privacy policy from a
(P3P-compliant) Web site.
3. Browser compares the privacy policy with
the user’s privacy preferences and acts
accordingly. (Symbols, pop-up prompts,
etc.)
17
P3P Policy Elements Include:
 Who is collecting these data?
 What information is being collected?
 For what purpose?
 Which information is being shared with others?
 Who are these data recipients?
 Can users access their identified data?
 Can users make changes in how their data is
used?
 What is the policy for retaining data?
 How are disputes resolved?
18
Purpose Specifications:
 Completion and support of activity for which data was
provided
 Web site and system administration
 Research and development
 One-time tailoring
 Pseudonymous decision or analysis
 Individual decision or analysis
 Contacting visitors for marketing of services or
products
 Historical preservation
 Contacting visitors for marketing of services or
products via telephone
 Other purpose
19
What P3P Accomplishes
 Makes privacy notices easy to locate and easy
to understand.
 Allows users to specify their privacy
preferences once so that they can be
automatically compared to a web site’s privacy
policy.
 Assists users in making decisions about when to
disclose personal information, how much, and
to whom.
20
What P3P Does NOT
Accomplish
 Does NOT replace privacy regulations.
 Can NOT protect the privacy of users in
jurisdictions with insufficient data privacy
laws.
 Can NOT ensure the companies or
organizations follow their stated privacy
policies.
“P3P does not protect privacy, in and of itself. It does,
however, help create a framework for informed choice
on the part of consumers. Any efficacy that P3P has is
dependent upon the substantive privacy rules
established through other processes – be they a result
of regulatory, self-regulatory, or public pressure.”
21
Controversy over P3P
“In the context of proper legislation, P3P is the
most promising solution to cyberspace privacy. It
will make it easy for companies to explain their
practices in a form that computers can read, and
make it easy for consumers to express their
preferences in a way that computers will
automatically respect.”
– Professor Lawrence Lessig, Stanford Law School.
22
Controversy over P3P
P3P is:
a) Pretty Poor Privacy,
b) a Pretext for Privacy Procrastination, and
c) “a tacit acceptance of the great increase in the
tracking and monitoring of our minor activities
that take place over the Web.”
– Karen Coyle, Information Technology Specialist,
University of California
23
Support for P3P
 Provides notice and consent
 Promotes transparency and accountability
 Intuitive
 Flexible and global
 Worthwhile process
24
Criticism of P3P
 Lack of enforcement
 Used as a procrastination tool
 Unclear legal consequences
 Importance of default settings
 Unable to maintain current experience
 Expensive to implement and maintain
 Overly broad and vague purpose
specifications
 Ultimatum-style communication
25
More Criticism of P3P
 Consumer and business confusion
 Rejected by the European Union
 Lack of actual choice
 Assumes the need to gather information
 Does not address third-party data
collection
 Lack of control over an irreversible choice
26
Basic Conflict
What is the real problem?
Lack of knowledge about how
information will be used?
OR
The gathering of the data itself?
27
Universal Agreement
Enforcement mechanisms are needed.
“A technical platform for privacy protection…must
be applied within the context of a framework of
enforceable data protection rules, which provide a
minimum and non-negotiable level of privacy
protection for all individuals. Use of P3P in the
absence of such a framework risks shifting the
onus primarily onto the individual user to protect
himself” – European Commission, 1998.
28
Economic View of Privacy
 Non-adoption of P3P and other privacyenhancing technologies is not due to
technological flaws. It is due to
economic incentives.
 Rational consumers want some of their
personal information available to
producers. They will experience more
privacy (e.g., less intrusive marketing)
and reduced search costs if their true
preferences are known.
29
Complication: Secondary Use
 Customers can benefit from collection
and analysis of personal information by
merchants with whom they transact
directly.
 If that information is sold to a third
party that does not know the customers,
that third party will use it more clumsily
and reimpose cost on the customers.
 The seller of this information has
externalized these costs.
30
Privacy as a Property Right
 Data collectors can externalize the costs of
secondary use because current law gives them
property rights in the databases they construct.
 Alternative: Vest the property rights in the data
subjects, and compensate them for use of their data.
 Varian gives examples of how to structure
information markets and set prices:
http://people.ischool.berkeley.edu/~hal/Papers/privacy
 Opponents of this approach would rather ban sale of
personal information altogether and establish a true
“right to privacy.” Relying on property rights to
control the dissemination and use of personal
information ensures that only the rich will have
privacy.
31