developing online privacy standards a view from the trenches
DESCRIPTION
Developing Online Privacy Standards A View From the Trenches. Lorrie Faith Cranor AT&T Labs-Research http://lorrie.cranor.org/. Outline. Online privacy concerns Introduction to P3P P3P implementations So why did it take so long?. Cathy. January 21, 2001. Online privacy – key concerns. - PowerPoint PPT PresentationTRANSCRIPT
Developing Online Developing Online Privacy StandardsPrivacy Standards
A View From the TrenchesA View From the Trenches
Lorrie Faith CranorAT&T Labs-Research
http://lorrie.cranor.org/
2
OutlineOutlineOnline privacy concerns
Introduction to P3P
P3P implementations
So why did it take so long?
3
Cathy January 21, 2001
4
Online privacy – key Online privacy – key concernsconcerns
Data is often collected silentlyWeb allows lots of data to be collected easily,
cheaply, unobtrusively and automaticallyIndividuals not given meaningful choiceIndividuals don’t know what data is being collected
or how it is being used, and often assume the worst
Data from many sources may be mergedEven non-identifiable data can become identifiable
when merged
Data collected for business purposes may be used in civil and criminal proceedings
5
Some solutionsSome solutionsPrivacy policies
Voluntary guidelines and codes of conduct
Seal programs
Chief privacy officers
Laws and regulations
Software tools
6
Privacy policiesPrivacy policies Policies let consumers know about site’s
privacy practices
Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with
The presence or privacy policies increases consumer trust
BUT policies are often difficult to understand, hard to find, and take a long time to read
Many policies are changed frequently without notice
7
Voluntary guidelinesVoluntary guidelinesOnline Privacy Alliancehttp://www.privacyalliance.org
Direct Marketing Association Privacy Promise http://www.thedma.org/library/privacy/privacypromise.shtml
Network Advertising Initiative Principles http://www.networkadvertising.org/
8
OECD fair information OECD fair information principlesprinciples
http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM
Collection limitation
Data quality
Purpose specification
Use limitation
Security safeguards
Openness
Individual participation
Accountability
9
Simplified principlesSimplified principlesNotice and disclosure
Choice and consent
Data security
Data quality and access
Recourse and remedies
10
Seal ProgramsSeal Programs TRUSTe – http://www.truste.org
BBBOnline – http://www.bbbonline.org
CPA WebTrust – http://www.cpawebtrust.org/
Japanese Privacy Mark http://www.jipdec.or.jp/security/privacy/
11
12
Chief Privacy OfficersChief Privacy Officers Companies are increasingly
appointing CPOs to have a central point of contact for privacy concerns
Role of CPO varies in each companyDraft privacy policyRespond to customer concernsEducate employees about company privacy
policyReview new products and services for
compliance with privacy policyDevelop new initiatives to keep company out
front on privacy issueMonitor pending privacy legislation
13
Laws and regulationsLaws and regulations Privacy laws and regulations vary widely
throughout the world
US has mostly sector-specific laws, with relatively minimal protections Federal Trade Commission has jurisdiction over fraud and
deceptive practices Federal Communications Commission regulates
telecommunications
European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws Privacy commissions in each country (some countries
have national and state commissions)
14
Software toolsSoftware tools Anonymity and
pseudonymity tools Anonymizing proxies Mix Networks and
similar web anonymity tools
Onion routingCrowdsFreedom
Anonymous email
Encryption tools File encryption Email encryption Encrypted network
connections
Filters Cookie cutters Child protection
software
Information and transparency tools Identity management
tools P3P
Other tools Privacy-friendly search
engines Computer “cleaners” Tools to facilitate access
15
Platform for Privacy Preferences Project Platform for Privacy Preferences Project (P3P)(P3P)
Developed by the World Wide Web Consortium (W3C) http://www.w3.org/p3p/
Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable formatCan be deployed using existing web servers
This will enable the development of tools (built into browsers or separate applications) that:Provide snapshots of sites’ policiesCompare policies with user preferencesAlert and advise the user
16
P3P is part of the solutionP3P is part of the solutionP3P1.0 helps users understand privacy
policies but is not a complete solution
Seal programs and regulations help ensure that sites comply with their policies
Anonymity tools reduce the amount of information revealed
while browsing
Encryption tools secure data in transit and storage
Laws and codes of practice provide a base line level for acceptable policies
17
How P3P worksHow P3P worksP3P provides a standard XML
format that web sites use to encode their privacy policies
Sites also provide “policy reference files” to indicate which policy applies to which part of the site
No special server software required
18
A simple HTTP transactionA simple HTTP transaction
WebServerGET /index.html HTTP/1.1
Host: www.att.com. . . Request web page
HTTP/1.1 200 OKContent-Type: text/html. . . Send web page
19
… … with P3P 1.0 addedwith P3P 1.0 added
WebServer
GET /w3c/p3p.xml HTTP/1.1Host: www.att.comRequest Policy Reference File
Send Policy Reference File
GET /index.html HTTP/1.1Host: www.att.com. . . Request web page
HTTP/1.1 200 OKContent-Type: text/html. . . Send web page
Request P3P Policy
Send P3P Policy
20
Using P3P on your Web siteUsing P3P on your Web site1. Formulate privacy policy
2. Translate privacy policy into P3P format Use a policy generator tool
3. Place P3P policy on web site One policy for entire site or multiple policies for
different parts of the site
4. Associate policy with web resources: Place P3P policy reference file (which identifies location
of relevant policy file) at well-known location on server; Configure server to insert P3P header with link to P3P
policy reference file; or Insert link to P3P policy reference file in HTML content
21
The P3P vocabularyThe P3P vocabulary Who is collecting
data?
What data is collected?
For what purpose will data be used?
Is there an ability to opt-in or opt-out of some data uses?
Who are the data recipients (anyone beyond the data collector)?
To what information does the data collector provide access?
What is the data retention policy?
How will disputes about the policy be resolved?
Where is the human-readable privacy policy?
22
TransparencyTransparency P3P clients can
check a privacy policy each time it changes
P3P clients can check privacy policies on all objects in a web page, including ads and invisible images
http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE
http://www.att.com/accessatt/
23
User preferencesUser preferencesP3P spec does not specify how
users should configure their preferences or what user agent should doSome guidelines are offered in Guiding
Principles
A separate W3C specification – A P3P Preference Exchange Language (APPEL) provides a standard format for encoding preferencesNot required for P3P user agent
implementations
24
Types of P3P user agent Types of P3P user agent toolstools
On-demand or continuous Some tools only check for P3P policies when the user
requests, others check automatically at every site
Generic or customized Some tools simply describe a site’s policy in some user
friendly format – others are customizable and can compare the policy with a user’s preferences
Information-only or automatic action Some tools simply inform users about site policies, while
others may actively block cookies, referrers, etc. or take other actions at sites that don’t match user’s preferences
Built-in, add-on, or service Some tools may be built into web browsers or other
software, others are designed as plug-ins or other add-ons, and others may be provided as part of an ISP or other service
25
Other types of P3P toolsOther types of P3P tools P3P validators
Check a site’s P3P policy for valid syntax
Policy generatorsGenerate P3P policies and policy reference files
for web sites
Web site management toolsAssist sites in deploying P3P across the site,
making sure forms are consistent with P3P policy, etc.
Search and comparison toolsCompare privacy policies across multiple web
sites – perhaps built into search engines
26
P3P in IE6P3P in IE6
Privacy icon on status bar
Initial focus is on P3P policies for cookies
27
AT&T WorldNet Privacy ToolAT&T WorldNet Privacy ToolTesting in WorldNet Beta club
later this month
Future FREE public release
http://privacy.research.att.com/
28
Chirping bird is privacy Chirping bird is privacy indicatorindicator
29
Click on the bird for more Click on the bird for more infoinfo
30
Privacy policy summary - Privacy policy summary - mismatchmismatch
31
What is unique about this?What is unique about this? Automatic processing done for all web page
components, not just cookies
Optional pop-up alerts before submitting forms at sites that don’t match user preferences
Automatic processing reads full P3P policy, not just compact policies
Privacy icon/button displayed at all sites, not just “unsatisfactory” sites
Privacy icon/button doesn’t disappear at sites with pop-ups, no browser toolbar, etc.
Many customization choices for users
P3P language simplified for easier understanding
So why has it taken so So why has it taken so long?long?
33
In the beginning… In the beginning… There was the Platform for
Internet Content Selection (PICS)A system for creating rating systems and
labeling web sitesDeveloped by the World Wide Web
Consortium (W3C)Designed primarily so parents could
filter content they found inappropriate for their children
Flexible enough to support almost any kind of rating system
34
How about PICS for privacy?How about PICS for privacy?In 1996 the US Congress and
Federal Trade Commission became aware of online privacy concerns
Industry groups began to discuss a strategy for preventing onerous legislation
Those involved with the PICS project suggested that it be used to help people maintain control of their personal info
35
But why stop there?But why stop there?Don’t just label, negotiate!
And digitally sign agreements
And automatically enforce the agreements
And make it more convenient to store and transfer personal info
And much much more . . .
. . . And so we began work on P3P
36
37
38
P3P1.0P3P1.0
39
Developing the P3P Developing the P3P vocabularyvocabulary
Examples of difficultiesFinding the right degree of granularityGetting agreement between privacy
advocates and industry lawyersGetting agreement between North
Americans and Europeans (and Asians, Australians, etc.)
What is personally identifiable information? Is IP address personally identifiable?
… and many more….
40
Defining a Reasonable Defining a Reasonable GrammarGrammar
There are many pieces of privacy-related information that could be included, how do we know if grammar is expressive enough?Could the Web site use the grammar
(and vocabulary) to clearly express that its practices meet legal requirements?
Does the grammar provide the ability to express enough information such that a third party could issue recommended settings that are meaningful to users?
41
Rating Systems and Rating Systems and VocabulariesVocabularies
Math Science English Spelling History French Spanish Gym ArtMusicDrama
ABB+D-CA-FA+B-CB
42
Descriptive Versus Descriptive Versus SubjectiveSubjective
Manyvariables
Fewvariables
Subjective Descriptive
simple
complex
L. Cranor and J. Reagle. Designing a Social Protocol: Lessons Learned from the Platform for Privacy Preferences. In Jeffrey K. MacKie-Mason and David Waterman, eds., Telephony, the Internet, and the Media. Mahwah: Lawrence Erlbaum Associates, 1998. [Paper presented at the Telecommunications Policy Research Conference, Alexandria, VA, September 27-29 1997. ]
43
Can’t derive descriptive from Can’t derive descriptive from subjectivesubjective
Characters not well developedGratuitous sex and violence
?Bad acting?Boring plot?Bad script?Dull characters?Unbelievable premise?Unoriginal?Too much violence?Not enough violence?
44
Recommended SettingsRecommended SettingsOverlay a simpler subjective
vocabulary on top of a more complicated descriptive one
Users can plug-in recommended settings as canned configuration files
GoodMouseclickingsGreat Privacy
NearlyAnonymous
Surfing
BasicPrivacy
45
Health or medical information
Financial or purchase information
Personally identifiable information
Non-personally identifiable information
Import and export settings
AT&T preference settingsAT&T preference settings
46
The Myth of Internet TimeThe Myth of Internet TimeInternet time is fast, but
most people don’t operate on Internet timeCorollary: Most standards bodies
don’t operate on Internet timeCorollary: Most companies don’t
operate on Internet timeCorollary: Most governments
don’t operate on Internet time
Don’t expect anything to really happen in Internet time
47
Don’t rely on future Don’t rely on future inventionsinventions
Standards and technologies that are said to be just around the corner are often miles away
And Internet time doesn’t change that
48
But time is a funny thing…But time is a funny thing…Overall, this specification took a
really long time (~5 years)
But the individual decisions that had to be made to create this specification were each made pretty quickly (~2 weeks)
In order to participate effectively in this process, people had to pay close attention and be prepared to review proposals in <2 weeks
49
Other problemsOther problemsThe evolving W3C process
Ever changing working group membership and W3C staff representatives
Patent problems
Getting the attention of browser implementers
Making the specification work efficiently within existing infrastructure
50
If you build it, will they If you build it, will they come?come?
Some lessons learned… A good design is not sufficientThink about deployment scenarios and
adoption strategies from the beginningGet buy-in from those with the resources
and/or power to make things happenDon’t design a kitchen when all people
are willing to build right now is a toaster
51
For more informationFor more informationVisit the P3P web site:http://www.w3.org/P3P/
Coming soon:http://www.p3ptoolbox.org/
AT&T WorldNet Privacy tool:
http://privacy.research.att.com/