1 privacy online jane turk, ph.d. cis 610 summer 2003

1

Privacy Online

Jane Turk, Ph.D.CIS 610

Summer 2003

2

Outline background & perspectives

surveys of current Internet use children’s online privacy consumer online privacy possible solution routes

3

Business Perspective Direct Marketing: > $176 billion a

year over 10,000 compiled & publicly

traded databases on market today private databases, with little or no

regulation except in financial industry ability to capture info about users

on Web target marketing

4

Privacy Perspective protecting privacy of consumer info

is “very” important to consumers consumers don’t know scope of

data maintained on them strong privacy standards

develop trust in users encourage development of online

commerce

5

Major Concerns of Consumers companies they patronize will

provide their information to other companies without their permission (75%)

their transactions may not be secure (70%)

hackers will steal their personal data (69%)

source: Harris survey, Nov 2001

6

Most Important Elements to be Verified security measures are adequate (90%) company does not release customer

personal data without permission (89%) access within the company is limited

(84%) company is only collecting info that its

privacy policies dictate (84%) info use or sharing follows stated privacy

policies (81%)

source: Harris survey, Nov 2001

7

Suggested Remedy verify privacy policy by a third

party (and 91% would do more business) online seal of approval does not

necessarily verify BBBOnLine and Truste

audit by major accounting firm PricewaterhouseCoopers

source: Harris survey, Nov 2001

8

Fair Information Principles consumers be given:

notice of entity’s info practices choice/consent with respect to

secondary use & dissemination of info collected from or about them

access to info about them collector assure security &

integrity of info provide enforcement mechanism

9

Public Records Online NYC voter registration site NJ info on those licensed by state registries of sex offenders federal judges’ recommendation to

put most civil proceedings online but to restrict criminal proceedings

good source: www.epic.org/privacy/publicrecords

10

Children’s Privacy Federal Trade Commission:

children are avid consumers and influence spending

information collection targets are ages 8-11

business goal: microtarget individual child

CME 1996 study exposed the issues

11

FTC “Kids Privacy Surf Day” “snapshot’, not comprehensive survey

126 sites listed by Yahooligans! results announced Dec 1997 86% of sites surveyed were collecting

personally identifiable info on children fewer than 30% of sites had privacy

policy another review March 1998

12

FTC 1998 Report: Children’s Sites of 212 sites directed at children

89% collect personally identifiable info directly from children

54% disclose info collection practices

fewer than 10% provide for some form of parental control

13

Children’s Online Privacy Protection Act (1998) parental consent required for

collection, use, disclosure of personal information from children under 13

parents may prevent further use or collection

parents may review information

14

Privacy Journal Recommendations parent

approve kid’s giving email address totally involved in kid’s giving physical

address order products in parent’s name

kid can use (false) nickname never use name and address to buy

15

Annenberg 2000 Study 29% of parents would give

identifying info in exchange for a free gift worth $100

45% of kids ages 10-17 would 39% of girls, 54% of boys

parents need help

16

Cookies passive files stored on hard drives

of Netscape & Microsoft IE users store a customer ID number for

site/network used by online advertisers to track

a user’s movements profiling, preferences

issue: transparency

17

Why Cookies? HTTP is stateless: keeps no

information from a connection with cookies, a Web page can

“remember” you from your last visit

enable much of interactivity customization, shopping baskets

18

Online Profiling: How and Where cookies, web bugs, URLs, info you

provide anonymous, unless you identify

yourself in customer database of the

site/network pages/sites visited DoubleClick tracks movement on 1500

sites

19

Online Profiling: Pros and Cons deliver desired content to user provide information about interests

of individual aggregate info about site

info collected often without knowledge or consent

20

Spyware conducts surveillance on a

computer usually placed without knowledge

or consent of computer owner violates basic FIPS e.g., “phone home” programs,

Web bugs, home web monitoring

21

Web Bugs clear GIFs, embedded images transmit info when page is viewed:

where, when designed to monitor who is viewing

page e.g., HTML mail

recent SW enables detection

22

The Net NEVER Forgets Internet Archive scoops up the

Web postings to Usenet groups are

saved in Deja News now http://groups.google.com

posts to email forums and chat services are searchable

public record

23

Costs to Business of Not Protecting Privacy sales lost may be $18 billion older business models may be less

effective than privacy-friendly models lost opportunities and higher costs for

imported personal data “safe harbor” includes complying with

FIPS

source: Robert Gellman, “Privacy, Consumers, and Costs”

24

Costs to Consumers When Privacy Is Not Protected higher prices stopping junk mail and

telemarketing calls avoiding identity theft protecting privacy on the Internetsource: Robert Gellman, “Privacy,

Consumers, and Costs”

25

Solution Routes education, including

fair information principles best business practices

industry self-regulation technology legislation

26

Industry Self-Regulation for privacy depends on posted privacy policies

coming: integrated suites of tools online privacy seal programs

e.g., TRUSTe, BBBOnLine implement some FIPS and monitor

compliance public audit of privacy policies e.g., www.thedailyapple.com

27

FTC Action Against Toysmart privacy policy promised never to

divulge customer information certified by TRUSTe FTC could intervene

bankrupt company advertised “databases and customer lists” for sale

FTC sued to prevent sale of customer info

28

Privacy Enhancing Technologies (PETs) seek to eliminate use of personal data

from transactions or give direct control for disclosure of personal information to individual concerned standard format for ratings systems: Platform for Internet Content Selection

machine-to-machine protocol for data exchange: P3P (Platform for Privacy Preferences)

anonymous use

29

Proposed Online Personal Privacy Act (S. 2201 in 107th) opt-in for sensitive personally

identifiable info opt-out for less sensitive info follows most FIPS preempts state legislation on

online privacy

30

Sources Adkinson, William et al. “Privacy Online: A

report on the information practices and policies of commercial web sites,” March 2002. The Progress and Freedom Foundation.

Center for Democracy and Technology. “Guide to Online Privacy,” http://www.cdt.org/privacy/guide/introduction/

Electronic Privacy Information Center. "Surfer Beware III: Privacy Policies Without Privacy Protection." Dec. 1999 <http://www.epic.org/reports/surfer-beware3.html>

31

Federal Trade Commission. “Privacy Online: Fair Information Practices in the Electronic Marketplace,” May 2000, www.ftc.gov/reports/privacy2000/privacy2000.pdf

Gellman, Robert. “Privacy, Consumers, and Costs: how the lack of privacy costs consumers and why business studies of privacy costs are biased and incomplete,” March 2002. www.epic.org/reports/dmfprivacy.html

32

Goldman, Janlori and Zoe Hudson and Richard M. Smith. “Privacy Report on the Privacy Policies and practices of Health Web Sites”. Sponsored by California HealthCare Foundation, January 2000, http://admin.chcf.org/documents/ehealth/privacywebreport.pdf

Pew Internet and American Life Project. “Trust and Privacy Online: Why Americans Want to Rewrite the Rules,” Aug 2000, www.pewinternet.org/reports/pdfs/PIP_Trust_Privacy_Report.pdf