cylab usable privacy and security laboratory 1 cylab usable privacy and security laboratory ...
Post on 22-Dec-2015
226 views
TRANSCRIPT
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1
CyLab Usable Privacy and Security Laboratoryhttp://cups.cs.cmu.edu/
Introduction to Privacy and P3P
Fall 2009
1
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 2
Privacy is hard to define
“Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”
Robert C. Post, Three Concepts of Privacy, 89 Geo. L.J. 2087 (2001).
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 3
Britney Spears: “We just need privacy”
“You have to realize that we’re people and that we need, we just need privacy and we need our respect, and those are things that you have to have as a human being.”
— Britney Spears15 June 2006NBC Dateline
http://www.cnn.com/2006/SHOWBIZ/Music/06/15/people.spears.reut/index.html
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 4
Only a goldfish can live without privacy…
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 5
Some definitions from the academic literature Personhood Intimacy Secrecy Contextual integrity Limited access to the self Control over information
Most relevant to “usable privacy”
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 6
Limited access to self
“Being alone.”- Shane (age 4)
1890: “the right to be let alone”- Samuel D. Warren and Louis D. Brandeis, The Right
to Privacy, 4 Harv. L. Rev. 193 (1890)
1980: “our concern overour accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others attention.
- Ruth Gavison, “Privacy and the Limits of the Law,” Yale Law Journal 89 (1980)
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 7
Control over information
“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.”“…each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication….”
Alan Westin, Privacy and Freedom, 1967
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 8
Realizing limited access and control Limited access
– Laws to prohibit or limit collection, disclosure, contact
– Technology to facilitate anonymous transactions, minimize disclosure
Control– Laws to mandate choice (opt-in/opt-out)– Technology to facilitate informed consent, keep
track of and enforce privacy preferences
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 9
Privacy concerns seem inconsistent with behavior People say they want privacy, but don’t always take
steps to protect it Many possible explanations
– They don’t really care that much about privacy– They prefer immediate gratification to privacy protections
that they won’t benefit from until later– They don’t understand the privacy implications of their
behavior– The cost of privacy protection (including figuring out how
to protect their privacy) is too high
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 10
Privacy policies
Inform consumers about privacy practices– Consumers can decide whether practices are
acceptable, when to opt-out Most policies require college-level skills to
understand, long, change without notice– Few people read privacy policies
Existing privacy policies are not an effective way to inform consumers or give them privacy controls
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 11
Cost of reading privacy policies What would happen if everyone read privacy
policy for each site they visited once each month?
Time = 244/hours year Cost = $3,534/year National opportunity cost for time to read
policies: $781 billion
A. McDonald and L. Cranor. The Cost of Reading Privacy Policis. I/S: A Journal of Law and Policy for the Informaiton Society. 2008 Privacy Year in Review Issue.http://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 12
Privacy policy format study Reading-comprehension and opinion questions about privacy policies in
various formats People could accurately answer questions where they could find answer
by scanning or key word– Does Acme use cookies? (98%)
People had trouble with questions that required more reading comprehension– Does this policy allow Acme to put you on an email marketing list? (71%)– Does this policy allow Acme to share your email address with a marketing
company that might put you on their email marketing list? (52%) Even well-written policies are not well-liked and difficult to use Layered notices don’t appear to help much
A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Technologies Symposium 2009. http://lorrie.cranor.org/pubs/authors-version-PETS-formats.pdf
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 13
Can we create a better privacy policy?
Easy to understand Fast to find information Easy to compare
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 14
Towards a privacy“nutrition label” Standardized format
– People learn where to look for answers to their questions
– Facilitates side-by-side policy comparisons
Standardized language– People learn what the
terminology means Brief
– People can get their questions answered quickly
Linked to extended view– People can drill down and get
more details if needed
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 15
Nutrition labelsfor privacy Iterative process Next steps: put it
online and make it interactive
http://cups.cs.cmu.edu/privacyLabel
P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A “Nutrition Label” for Privacy. SOUPS 2009. http://cups.cs.cmu.edu/soups/2009/proceedings/a4-kelley.pdf
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 16
Another approach to privacy communication Privacy Finder search engine Checks each search result for
computer-readable P3P privacy policy, evaluates against user’s preferences
Composes search result page with privacy meter annotations and links to “Privacy Report”
Allows people to comparison shop for privacy http://privacyfinder.org/
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 21
Impact of privacy information on decision making Online shopping study conducted at CMU lab Paid participants to make online purchases
with their own credit cards, exposing their own personal information
Participants paid fixed amount and told to keep the change – real tradeoff between money and privacy
Studies demonstrate that when readily accessible and comparable privacy information is presented in search results, many people will pay more for better privacy
J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. WEIS 2007. http://weis2007.econinfosec.org/papers/57.pdf
S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. 2009. Timing is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI2009. http://www.guanotronic.com/~serge/papers/chi09a.pdf
http://privacyfinder.org/
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 22
Requirements for meaningful control
Individuals must understand what options they have
Individuals must understand implications of their options
Individuals must have the means to exercise options
Costs must be reasonable– Money, time, convenience, benefits
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 23
Location-Based Services
Surveyed 89 location-sharing services– 17% had easily-accessible privacy settings– 12% allowed users to specify rules to share
location with groups of their friends– Only 1 had time- or location-based rules
J. Tsai, P. Kelley, L. Cranor, and N. Sadeh. Locatin-Sharing Technologies: Privacy Risks
and Controls. TPRC 2009. http://cups.cs.cmu.edu/LBSprivacy/
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 24
Privacy in a location finding service
http://locaccino.org/
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 27
Introduction to the Platform for Privacy Preferences (P3P)
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 28
P3P Basics P3P provides a standard XML format that web sites use
to encode their privacy policies Sites also provide XML “policy reference files” to
indicate which policy applies to which part of the site Sites can optionally provide a “compact policy” by
configuring their servers to issue a special P3P header when cookies are set
No special server software required User software to read P3P policies called a “P3P user
agent”– Built into some web browsers– Plug-ins and services, e.g. http://privacyfinder.org/
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 29
P3P in Internet Explorer
Privacy icon on status bar indicates that a cookie has been blocked – pop-up appears the first time the privacy icon appears
Automatic processing of compact policies only; third-party cookies without compact policies blocked by default
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 30
Users can click on privacy icon forlist of cookies;
privacy summariesare available atsites that are P3P-enabled
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 31
Privacy summary report isgenerated automaticallyfrom full P3P policy
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 32
Other P3P User Agents
http://privacyfinder.org/
Privacy Nutrition Label
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 33
What’s in a P3P policy? Name and contact information for site The kind of access provided Mechanisms for resolving privacy disputes The kinds of data collected How collected data is used, and whether individuals
can opt-in or opt-out of any of these uses Whether/when data may be shared and whether
there is opt-in or opt-out Data retention policy
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 34
Assertions in a P3P Policy General assertions
– Location of human-readable policies and opt-out mechanisms – discuri, opturi attributes of <POLICY>
– Indication that policy is for testing only – <TEST> (optional)– Web site contact information – <ENTITY>– Access information – <ACCESS>– Information about dispute resolution – <DISPUTES> (optional)
Data-Specific Assertions– Consequence of providing data – <CONSEQUENCE> (optional)– Indication that no identifiable data is collected –
<NON-IDENTIFIABLE> (optional)– How data will be used – <PURPOSE>– With whom data may be shared – <RECIPIENT>– Whether opt-in and/or opt-out is available – required attribute of <PURPOSE> and
<RECIPIENT>– Data retention policy – <RETENTION>– What kind of data is collected – <DATA>
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 35
Web Site Adoption of P3P Ecommerce sites more likely to implement P3P
– 10% of results from typical search terms have P3P– 21% of results from ecommerce search terms have P3P
More popular sites are more likely to implement P3P– 5% of sites in our cache have P3P– 9% of 30K most clicked on domains have P3P– 17% of clicks to 30K most clicked on domains have P3P
Searches frequently return P3P-enabled hits– 83% of searches had at least one P3P-enabled site in top 20 results– 68% of searches had at least one P3P-enabled site in top 10 results
L. Cranor, S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury. P3P Deployment on Websites. Electronic Commerce Research and Applications, 2008
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 36
Legal Issues P3P specification does not address legal standing of P3P
policies or include enforcement mechanisms P3P specification requires P3P policies to be consistent with
natural-language privacy policies– P3P policies and natural-language policies are not required to
contain the same level of detail– Typically natural-language policies contain more detailed
explanations of specific practices In some jurisdictions, regulators and courts may treat P3P
policies equivalently to natural language privacy policies The same corporate attorneys and policy makers involved
in drafting natural-language privacy policy should be involved in creating P3P policy
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 37
Privacy policy P3P policyDesigned to be read by a human Designed to be read by a computer
Can contain fuzzy language with “wiggle room”
Mostly multiple choice – sites must place themselves in one “bucket” or another
Can include as much or as little information as a site wants
Must include disclosures in every required area
Easy to provide detailed explanations
Limited ability to provide detailed explanations
Sometimes difficult for users to determine boundaries of what it applies to and when it might change
Precisely scoped
Web site controls presentation User agent controls presentation
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 38
P3P Deployment Overview Create a privacy policy Analyze the use of cookies and third-party content on
your site Determine whether you want to have one P3P policy
for your entire site or different P3P policies for different parts of your site
Create a P3P policy (or policies) for your site Create a policy reference file for your site Configure your server for P3P Test your site to make sure it is properly P3P enabled
– http://www.w3.org/P3P/validator.html
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 39
IBM P3P Policy EditorSites can list the typesof data theycollect
And view the correspondingP3P policy
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 40
Internet Explorer Cookie Blocking Default cookie-blocking behavior in Internet Explorer
(version 6, 7, 8)– Block third-party cookies without P3P compact policies– Block third-party cookies with “unsatisfactory” compact policies– IE considers cookies third-party if they come from a different
domain name than the page they are embedded in, even if both domains are owned by same company
IE considers cookies unsatisfactory if– They are associated with PII that is shared or used for
marketing, profiling, or unknown purposes– And no opt-out is available
L. Cranor. Help! IE6 Is Blocking My Cookies. http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 42
How Privacy Rights are Protected By policy
– Protection through laws and organizational privacy policies
– Must be enforced– Often requires mechanisms to
obtain and record consent– Transparency facilitates choice and
accountability– Technology facilitates compliance
and reduces the need to rely solely on trust and external enforcement
– Technology reduces or eliminates any form of manual processing or intervention by humans
– Violations still possible due to bad actors, mistakes, government mandates
By architecture– Protection through technology– Reduces the need to rely on trust
and external enforcement– Violations only possible if
technology fails or the availability of new data or technology defeats protections
– Often viewed as too expensive or restrictive
• Limits the amount of data available for data mining, R&D, targeting, other business purposes
• May require more complicated system architecture, expensive cryptographic operations
• Pay now or pay later
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 43
Privacy stages
identifiabilityApproach to privacy protection
Linkability of data to personal
identifiers
System Characteristics
0 identified privacy by
policy (notice and
choice)
linked
• unique identifiers across databases• contact information stored with profile information
1
pseudonymous
linkable withreasonable & automatable
effort
• no unique identifies across databases• common attributes across databases• contact information stored separately from profile
or transaction information
2privacy
byarchitecture
not linkable with
reasonable
effort
• no unique identifiers across databases• no common attributes across databases• random identifiers• contact information stored separately from profile or transaction information• collection of long term person characteristics on a
low level of granularity• technically enforced deletion of profile details at regular intervals
3 anonymous unlinkable
• no collection of contact information• no collection of long term person characteristics• k-anonymity with large value of k Sa
rah
Spie
kerm
ann
and
Lorr
ie F
aith
Cra
nor.
Engi
neer
ing
Priv
acy.
IEEE
Tra
nsac
tions
on
Soft
war
e En
gine
erin
g. V
o.
35, N
o. 1
, Jan
uary
/Feb
ruar
y, 2
009,
pp.
67-
82. h
ttp:
//ss
rn.c
om/a
bstr
act=
1085
333
Degrees of Identifiability