Agents of Choice Tools That Facilitate Notice and Choice About
Download
Report
Transcript Agents of Choice Tools That Facilitate Notice and Choice About
Privacy Implications
of Online Data
Collection
DIMACS Workshop
Lorrie Faith Cranor
AT&T Labs-Research
http://www.research.att.com/~lorrie/
Recent headlines
Activists charge DoubleClick double cross
Websites Pull Back From Doubleclick
Doubleclick shelves plan to tag Web surfers
Senators Raise Privacy Issue In AOL-Time Warner Hearing
Clinton Issues Privacy Warning To Technology Leaders
2
Online profiling in the comics!
Cathy
March 1, 2000
3
How do they get my data?
Browsers advertise
IP address, domain name, organization, referring page
platform: O/S, browser
which information is requested
Information available to
end servers
local system administrators
other third parties (e.g., doubleclick.com)
Cookies, Web bugs, advertising networks
4
Browsers like to chatter
A typical HTTP request
GET http://www.amazon.com/ HTTP/1.0
User-Agent: Mozilla/3.01 (X11; I; SunOS 4.1.4 sun4m)
Host: www.amazon.com
Referer: http://www.alcoholics-anonymous.org/
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Cookie: session-id-time=868867200; session-id=6828-2461327649945; group_discount_cookie=F
5
Servers record what they hear
Server logs
store host, time, date, requested URL, referrer
ppp.bu.edu - - [09/Dec/1996:20:33:22
-500] “Get /cgibin/wwwais?hemoglobin+gene
HTTP/1.0” 200 527
affiliation: Boston University, probably working
from home, probably student or faculty in
biology
6
What about cookies?
Cookies can be useful
used like a staple to attach multiple parts of a form
together
used to identify you when you return to a web site so
you don’t have to remember a password
used to help web sites understand how people use
them
Cookies can be harmful
used to profile users and track their activities,
especially across web sites
7
YOU
Search for
medical
information
Buy book
Set
cookie
Read
cookie
Ad
Search
engine
Ad
Ad company
can get your
name and
address from
book order and
link them to
your search
Book
Store
8
Referer log problems
GET methods result in values in
URL
These URLs are sent in the referer
header to next host
Example:
http://www.merchant.com/cgi_bin/order?name=
Tom+Jones&address=here+there&credit+car
d=234876923234&PIN=1234& -> index.html
9
What DoubleClick knows…
… about Richard M. Smith
Personal data:
My Email address
My full name
My mailing address (street, city, state, and Zip code)
My phone number
Transactional data:
Names of VHS movies I am interesting in buying
Details of a plane trip
Search phrases used at search engines
Health conditions
10
No clicks required
“It was not necessary for me to click on
the banner ads for information to be
sent to DoubleClick servers.”
– Richard M. Smith
http://www.tiac.net/users/smiths/privacy/banads.htm
11
DoubleClick examples
AltaVista Yellow Pages – Complete home address
(Fixed January 2000)
Banner ad URL: http://live.av.com/scripts/search.dll?ep=
7&gca=address&orderby=distance&sstreet=172+mason+terr
&scity=brookline&sstate=MA&szip=02446&scountry=
USA&query=sinsa&qname=&sic=&ck=&userid=130782922&
userpw=.&uh=130782922,0,&ccity=brookline&cstate=MA&ver
=hb1.2.2
Travelocity – Email address
Referring URL: http://dps1.travelocity.com/promoptout.ctl
[email protected]
12
Merging online and offline data
In mid-February DoubleClick
announced plans to merge
“anonymous” online data with personal
information obtained from offline
databases
By the first week in March the plans
were put on hold
13
Public concern
April 1997 Louis Harris Poll of Internet
users
5% say they have been the victim of an
invasion of privacy while on the Internet
53% say they are concerned that information
about which sites they visit will be linked to
their email address and disclosed without their
knowledge
See also “Beyond Concern” study:
http://www.research.att.com/projects
/privacystudy/
14
International issues
European Union Data Directive
prohibits secondary uses of data
without informed consent
Creating personally-identifiable online profiles
will have to be opt-in in most cases
Upfront notice must be given when data is
collected – no web bugs
No transfer of data to non-EU countries unless
there is adequate privacy protection
15
Children's issues
Children’s Online Privacy Protection Act
(COPPA) requires parental consent
before collecting personally-identifiable
data from children online
16
Subpoenas
Data on online activities is increasingly
of interest in civil and criminal cases
The only way to avoid subpoenas is to
not have data
Your files on your computer in your
home have much greater legal
protection that your files stored on a
server on the network
17
Privacy concerns
Data is often collected silently
Web allows lots of data to be collected easily, cheaply,
unobtrusively and automatically
Individuals not given meaningful choice
Data from many sources may be merged
Even non-identifiable daa can become identifiable
when merged
Data collected for business purposes may be
used in civil and criminal proceedings
18
Some solutions
Privacy policies
Voluntary guidelines and codes of
conduct
Seal programs
Infomediaries
Technologies for facilitating notice and
choice
P3P
19
P3P1.0 – A First Step
Offers an easy way for web sites to
communicate about their privacy
policies in a standard machine-readable
format
Can be deployed using existing web servers
This will enable users to use tools that:
Display symbols, play sounds, or provide
snapshots of sites’ policies
Display symbols or prompts after comparing
policies with user preferences
20
P3P is a Partial Solution
P3P1.0 helps users understand privacy
policies but is not a complete solution
Seal programs and regulations help ensure
that sites comply with their policies
Anonymity tools reduce the amount of
information revealed while browsing
Encryption tools secure data in transit and
storage
Laws and codes of practice provide a base
line level for acceptable policies
21
Implementing a P3P 1.0 Server
Formulate privacy policy
Translate privacy policy into P3P format
Place P3P policy on web site
One policy for entire site or multiple policies for
different parts of the site
Associate policy with web resources:
Configure server to insert P3P header with link to
P3P policy; or
Insert link to P3P policy in HTML content
22
A simple HTTP transaction
GET /x.html HTTP/1.1
Host: foo.com
. . . Request web page
Web
Server
HTTP/1.1 200 OK
Content-Type: text/html
. . . Send web page
23
A simple HTTP transaction
With P3P 1.0 added
GET /x.html HTTP/1.1
Host: foo.com
. . . Request web page
Web
Server
HTTP/1.1 200 OK
Opt: http://www.w3.org/2000/P3Pv1/;
ns=11
HTTP/1.1 200 OK
11-Policy: http://foo.com/p3p.xml
Content-Type: text/html
Content-Type: text/html
. . . Send web page
. . . Send web page
GET /p3p.xml HTTP/1.1
Host: foo.com
. . .
Request P3P Policy
HTTP/1.1 200 OK
. . . Send P3P Policy
24
Implementing a P3P1.0 Client
Client can be implemented as browser, proxy,
plugg-in, part of an electronic wallet, java
applet, javascript, etc.
Can be entirely server side
Look for link to P3P policy and fetch policy
with HTTP GET request
Parse policy and take appropriate action
Display symbol, play sound, prompt user, etc.
Action can optionally be based on user preferences
Action can optionally allow data to be automatically
filled into form or transferred from electronic wallet
25
Some P3P Client Ideas
Symbols for how data is
used
complete transaction
R&D
Customization
marketing
Symbols to indicate
whether data is shared
Symbols to indicate site
has privacy seal
Symbols to indicate
compliance with laws
and regulations
complies with German law
complies with German law
if user gives informed
consent
does not comply with
German law
Symbols to indicate
match/mismatch with
user preferences
information about cause of
mismatch on mouse-over
26
P3P Policies
Machine-readable (XML) version of web site
privacy policies
Use P3P Vocabulary to express data
practices
Use P3P Base Data Set to express type of
data collected
Capture common elements of privacy policies
but may not express everything (sites may
provide further explanation in humanreadable policies)
27
The P3P Vocabulary
Who is collecting data?
What data is collected?
For what purpose will
data be used?
Is there an ability to
change preferences
about (opt-in or opt-out)
of some data uses?
Who are the data
recipients (anyone
beyond the data
collector)?
To what information
does the data collector
provide access?
What is the data
retention policy?
How will disputes about
the policy be resolved?
Where is the humanreadable privacy
policy?
28
Example Privacy Policy
TheCoolCatalog of 123 Main Street, Bethesda, MD 20814, USA, makes
the following statement for the Web page at
http://www.TheCoolCatalog.com/catalog/. We have a privacy seal
from PrivacySeal.org. Our privacy policy is posted at
http://www.TheCoolCatalog.com/PrivacyPractice.html. We do not
provide access capabilities to information we have about you.
We use cookies and collect your gender, information about your clothing
preferences, and (optionally) your home address to customize our
entry catalog pages and for our own research and product
development. We retain this information indefinitely.
We also maintain server logs that include information about visits to the
http://www.TheCoolCatalog.com/catalog/ page, and the types of
browsers our visitors use. We use this information in order to
maintain and improve our web site. We retain this information
indefinitely.
29
P3P/XML Encoding
<POLICY xmlns="http://www.w3.org/2000/P3Pv1"
entity=“TheCoolCatalog, 123 Main Street, Bethesda, MD 20814, USA">
<DISPUTES-GROUP><DISPUTES resolution-type="independent"
service="http://www.PrivacySeal.org" description="PrivacySeal.org"
image="http://www.PrivacySeal.org/Logo.gif"/></DISPUTES-GROUP>
<DISCLOSURE discuri="http://www.TheCoolCatalog.com/PrivacyPractice.html"
access="none"/>
<STATEMENT>
<CONSEQUENCE-GROUP><CONSEQUENCE>a site with clothes you would
appreciate</CONSEQUENCE></CONSEQUENCE-GROUP>
<RECIPIENT><ours/></RECIPIENT> <PURPOSE><custom/><develop/></PURPOSE>
<RETENTION><indefinitely/></RETENTION>
<DATA-GROUP>
<DATA name="dynamic.cookies" category="state"/>
<DATA name="dynamic.miscdata" category="preference"/>
<DATA name="user.gender"/>
<DATA name="user.home." optional="yes"/>
</DATA-GROUP>
</STATEMENT>
<STATEMENT>
<RECIPIENT><ours/></RECIPIENT> <PURPOSE><admin/><develop/></PURPOSE>
<RETENTION><indefinitely/></RETENTION>
<DATA-GROUP>
<DATA name="dynamic.clickstream.server"/>
<DATA name="dynamic.http.useragent"/>
</DATA-GROUP>
</STATEMENT>
</POLICY>
PrivacyBank.Com
PrivacyBank
bookmark
31
Infomediary example:
PrivacyBank
PrivacyBank
bookmark
32
Challenge
Data is useful for research, targeting potential
customers, building relationships with
customers, etc.
Privacy laws make data collection more
difficult
Data collectors have personal privacy
concerns too
How can we collect data in ways that reduce
privacy concerns while remaining useful for
research and business?
33