Web Privacy with P3P

1
Web Privacy with P3P

• Lorrie Faith CranorP3P Specification Working
  Group ChairATT Labs-Research
• July 2002

http//lorrie.cranor.org/
2
Part I The online privacy landscape
2
3
Part I The online privacy landscape
Outline

• Web privacy concerns
• Surveys
• How do they get my Data?
• Browser chatter
• Cookies 101
• Online and offline merging
• Subpoenas
• Spyware
• Monitoring devices

• Solutions
• Privacy policies
• Voluntary guidelines
• Seal programs
• Chief privacy officers
• Laws and Regulations
• Software tools
• Software tools

4
Web privacy concerns
The Online Privacy Landscape Privacy concerns

• Data is often collected silently
• Web allows large quantities of data to be
  collected inexpensively and unobtrusively
• Data from multiple sources may be merged
• Non-identifiable information can become
  identifiable when merged
• Data collected for business purposes may be used
  in civil and criminal proceedings
• Users given no meaningful choice
• Few sites offer alternatives

5
Privacy surveys find concerns
The Online Privacy Landscape Privacy concerns

• Increasingly people say they are concerned about
  online privacy (80-90 of US Net users)
• Improved privacy protection is factor most likely
  to persuade non-Net users to go online
• 27 of US Net users have abandoned online
  shopping carts due to privacy concerns
• 64 of US Net users decided not to use a web site
  or make an online purchase due to privacy
  concerns
• 34 of US Net users who do not buy online would
  buy online if they didnt have privacy concerns

6
Beyond concern
The Online Privacy Landscape Privacy concerns

• April 1999 Study Beyond ConcernUnderstanding
  Net Users' Attitudes About Online Privacy by
  Cranor, Ackerman and Reagle (US panel results
  reported)
• http//www.research.att.com/projects/privacystud
  y/
• Internet users more likely to provide info when
  they are not identified
• Some types of data more sensitive than others
• Many factors important in decisions about
  information disclosure
• Acceptance of persistent identifiers varies
  according to purpose
• Internet users dislike automatic data transfer

7
Few read privacy policies
The Online Privacy Landscape Privacy concerns

• 3 review online privacy policies carefully most
  of the time
• Most likely to review policy before providing
  credit card info
• Policies too time consuming to read and difficult
  to understand
• 70 would prefer standard privacy policy format
• Most interested in knowing about data sharing and
  how to get off marketing lists
• People are more comfortable at sites that have
  privacy policies, even if they dont read them

8
Survey references
The Online Privacy Landscape Privacy concerns

• Mark S. Ackerman, Lorrie Faith Cranor and Joseph
  Reagle, Beyond Concern Understanding Net Users
  Attitudes About Online Privacy, (ATT Labs, April
  1999), http//www.research.att.com/projects/privac
  ystudy/
• Mary J. Culnan and George R. Milne, The
  Culnan-Milne Survey on Consumers Online Privacy
  Notices Summary of Responses, (December 2001),
  http//www.ftc.gov/bcp/workshops/glb/supporting/cu
  lnan-milne.pdf.
• Cyber Dialogue, Cyber Dialogue Survey Data
  Reveals Lost Revenue for Retailers Due to
  Widespread Consumer Privacy Concerns, (Cyber
  Dialogue, November 7, 2001), http//www.cyberdialo
  gue.com/news/releases/2001/11-07-uco-retail.html.
• Forrester Research, Privacy Issues Inhibit Online
  Spending, (Forrester, October 3, 2001).
• Louis Harris Associates and Alan F. Westin,
  Commerce, Communication and Privacy Online (Louis
  Harris Associates, 1997), http//www.privacyexch
  ange.org/iss/surveys/computersurvey97.html
• Louis Harris Associates and Alan F. Westin.
  E-Commerce and Privacy, What Net Users Want,
  (Sponsored by Price Waterhouse and Privacy
  American Business. P AB, June 1998).
  http//www.privacyexchange.org/iss/surveys/ecommsu
  m.html
• Opinion Research Corporation and Alan F. Westin.
  Freebies and Privacy What Net Users Think.
  Sponsored by Privacy American Business. P AB,
  July 1999. http//www.privacyexchange.org/iss/surv
  eys/sr990714.html
• Privacy Leadership Initiative, Privacy Notices
  Research Final Results, (Conducted by Harris
  Interactive, December 2001), http//www.ftc.gov/bc
  p/workshops/glb/supporting/harris20results.pdf
• An extensive list of privacy surveys from around
  the world is available from http//www.privacyexch
  ange.org/iss/surveys/surveys.html.

9
Browser Chatter
The Online Privacy Landscape How do they get my
data?

• Browsers chatter about
• IP address, domain name, organization,
• Referring page
• Platform O/S, browser
• What information is requested
• URLs and search terms
• Cookies

• To anyone who might be listening
• End servers
• System administrators
• Internet Service Providers
• Other third parties
• Advertising networks
• Anyone who might subpoena log files later

10
Typical HTTP request with cookie
The Online Privacy Landscape How do they get my
data?

• GET /retail/searchresults.asp?qubeer HTTP/1.0
• Referer http//www.us.buy.com/default.asp
• User-Agent Mozilla/4.75 en (X11 U NetBSD
  1.5_ALPHA i386)
• Host www.us.buy.com
• Accept image/gif, image/jpeg, image/pjpeg, /
• Accept-Language en
• Cookie buycountryus dcLocNameBasket
  dcCatID6773 dcLocID6773 dcAdbuybasket loc
  parentLocNameBasket parentLoc6773
  ShopperManager2FShopperManager2F66FUQULL0QBT8M
  MTVSC5MMNKBJFWDVH7 Store107 Category0

11
Referer log problems
The Online Privacy Landscape How do they get my
data?

• GET methods result in values in URL
• These URLs are sent in the referer header to next
  host
• Example
• http//www.merchant.com/cgi_bin/order?nameTomJon
  esaddressheretherecreditcard234876923234PIN
  1234-gtindex.html

12
Cookies 101
The Online Privacy Landscape How do they get my
data?

• Cookies can be useful
• Used like a staple to attach multiple parts of a
  form together
• Used to identify you when you return to a web
  site so you dont have to remember a password
• Used to help web sites understand how people use
  them
• Cookies can do unexpected things
• Used to profile users and track their activities,
  especially across web sites

13
How cookies work the basics
The Online Privacy Landscape How do they get my
data?

• A cookie stores a small string of characters
• A web site asks your browser to set a cookie
• Whenever you return to that site your browser
  sends the cookie back automatically

Please store cookie xyzzy
Here is cookie xyzzy
browser
site
browser
site
First visit to site
Later visits
14
How cookies work advanced
The Online Privacy Landscape How do they get my
data?

• Cookies are only sent back to the site that set
  them but this may be any host in domain
• Sites setting cookies indicate path, domain, and
  expiration for cookies

• Cookies can store user info or a database key
  that is used to look up user info either way
  the cookie enables info to be linked to the
  current browsing session

Send me with requests for index.html on y.x.com
for this session only
Send me with any request to x.com until 2008
DatabaseUsers Email Visits
UserJoe EmailJoe_at_x.com Visits13
User4576904309
15
Cookie terminology
The Online Privacy Landscape How do they get my
data?

• Cookie Replay sending a cookie back to a site
• Session cookie cookie replayed only during
  current browsing session
• Persistent cookie cookie replayed until
  expiration date
• First-party cookie cookie associated with the
  site the user requested
• Third-party cookie cookie associated with an
  image, ad, frame, or other content from a site
  with a different domain name that is embedded in
  the site the user requested
• Browser interprets third-party cookie based on
  domain name, even if both domains are owned by
  the same company

16
Web bugs
The Online Privacy Landscape How do they get my
data?

• Invisible images (1-by-1 pixels, transparent)
  embedded in web pages and cause referer info and
  cookies to be transferred
• Also called web beacons, clear gifs, tracker
  gifs,etc.
• Work just like banner ads from ad networks, but
  you cant see them unless you look at the code
  behind a web page
• Also embedded in HTML formatted email messages,
  MS Word documents, etc.
• For more info on web bugs see http//www.privacyf
  oundation.org/resources/webbug.asp
• For software to detect web bugs see
  http//www.bugnosis.org

17
How data can be linked
The Online Privacy Landscape How do they get my
data?

• Every time the same cookie is replayed to a site,
  the site may add information to the record
  associated with that cookie
• Number of times you visit a link, time, date
• What page you visit
• What page you visited last
• Information you type into a web form
• If multiple cookies are replayed together, they
  are usually logged together, effectively linking
  their data
• Narrow scoped cookie might get logged with broad
  scoped cookie

18
Ad networks
The Online Privacy Landscape How do they get my
data?
Ad companycan get yourname and address fromCD
order andlink them to your search
Search Service
CD Store
19
What ad networks may know
The Online Privacy Landscape How do they get my
data?

• Personal data
• Email address
• Full name
• Mailing address (street, city, state, and Zip
  code)
• Phone number

• Transactional data
• Details of plane trips
• Search phrases used at search engines
• Health conditions

It was not necessary for me to click on the
banner ads for information to be sent to
DoubleClick servers. Richard M. Smith
20
Online and offline merging
The Online Privacy Landscape How do they get my
data?

• In November 1999, DoubleClick purchased Abacus
  Direct, a company possessing detailed consumer
  profiles on more than 90 of US households.
• In mid-February 2000 DoubleClick announced plans
  to merge anonymous online data with personal
  information obtained from offline databases
• By the first week in March 2000 the plans were
  put on hold
• Stock dropped from 125 (12/99) to 80 (03/00)

21
Offline data goes online
The Online Privacy Landscape How do they get my
data?
The Cranor familys 25 most frequentgrocerypurc
hases (sorted by nutritional value)!
22
Subpoenas
The Online Privacy Landscape How do they get my
data?

• Data on online activities is increasingly of
  interest in civil and criminal cases
• The only way to avoid subpoenas is to not have
  data
• In the US, your files on your computer in your
  home have much greater legal protection that your
  files stored on a server on the network

23
Spyware
The Online Privacy Landscape How do they get my
data?

• Spyware Software that employs a user's Internet
  connection, without their knowledge or explicit
  permission, to collect information
• Most products use pseudonymous, but unique ID
• Over 800 known freeware and shareware products
  contain Spyware, for example
• Beeline Search Utility
• GoZilla Download Manager
• Comet Cursor
• Often difficult to uninstall!
• Anti-Spyware Sites
• http//grc.com/oo/spyware.htm
• http//www.adcop.org/smallfish
• http//www.spychecker.com
• http//cexx.org/adware.htm

24
Devices that monitor you
The Online Privacy Landscape How do they get my
data?
Creative Labs Nomad JukeBox Music transfer
software reportsall uploads to Creative
Labs. http//www.nomadworld.com
Sony eMarker Lets you figure out the artitst and
title of songs you hear on the radio. And keeps a
personal log of all the music you like on the
emarker Web site. http//www.emarker.com
Sportbrain Monitors daily workout. Customphone
cradle uploads data to company Web site for
analysis. http//www.sportbrain.com/
CueCat Keeps personal log of advertisements
youre interested in. http//www.crq.com/cuecat.h
tml
See http//www.privacyfoundation.org/
25
Some solutions
The Online Privacy Landscape Solutions

• Privacy policies
• Voluntary guidelines and codes of conduct
• Seal programs
• Chief privacy officers
• Laws and regulations
• Software tools

26
Privacy policies
The Online Privacy Landscape Solutions

• Policies let consumers know about sites privacy
  practices
• Consumers can then decide whether or not
  practices are acceptable, when to opt-in or
  opt-out, and who to do business with
• The presence or privacy policies increases
  consumer trust

27
Privacy policy problems
The Online Privacy Landscape Solutions

• BUT policies are often
• difficult to understand
• hard to find
• take a long time to read
• change without notice

28
Voluntary guidelines
The Online Privacy Landscape Solutions

• Online Privacy Alliancehttp//www.privacyalliance
  .org
• Direct Marketing Association Privacy Promise
  http//www.thedma.org/library/privacy/privacyprom
  ise.shtml
• Network Advertising Initiative Principles
  http//www.networkadvertising.org/

29
OECD fair information principles
The Online Privacy Landscape Solutions

• http//www.oecd.org/dsti/sti/it/secur/prod/PRIV-e
  n.HTM
• Collection limitation
• Data quality
• Purpose specification
• Use limitation
• Security safeguards
• Openness
• Individual participation
• Accountability

30
Simplified principles
The Online Privacy Landscape Solutions

• Notice and disclosure
• Choice and consent
• Data security
• Data quality and access
• Recourse and remedies
• US Federal Trade Commission, Privacy Online A
  Report to Congress (June 1998),
  http//www.ftc.gov/reports/privacy3/

31
Seal programs
The Online Privacy Landscape Solutions

• TRUSTe http//www.truste.org
• BBBOnline http//www.bbbonline.org
• CPA WebTrust http//www.cpawebtrust.org/
• Japanese Privacy Mark http//www.jipdec.or.jp/secu
  rity/privacy/

32
Seal program problems
The Online Privacy Landscape Solutions

• Certify only compliance with stated policy
• Limited ability to detect non-compliance
• Minimal privacy requirements
• Dont address privacy issues that go beyond the
  web site
• Nonetheless, reporting requirements are forcing
  licensees to review their own policies and
  practices and think carefully before introducing
  policy changes

33
The Online Privacy Landscape Solutions
34
Chief privacy officers
The Online Privacy Landscape Solutions

• Companies are increasingly appointing CPOs to
  have a central point of contact for privacy
  concerns
• Role of CPO varies in each company
• Draft privacy policy
• Respond to customer concerns
• Educate employees about company privacy policy
• Review new products and services for compliance
  with privacy policy
• Develop new initiatives to keep company out front
  on privacy issue
• Monitor pending privacy legislation

35
Laws and regulations
The Online Privacy Landscape Solutions

• Privacy laws and regulations vary widely
  throughout the world
• US has mostly sector-specific laws, with
  relatively minimal protections
• Federal Trade Commission has jurisdiction over
  fraud and deceptive practices
• Federal Communications Commission regulates
  telecommunications
• European Data Protection Directive requires all
  European Union countries to adopt similar
  comprehensive privacy laws
• Privacy commissions in each country (some
  countries have national and state commissions)
• Many European companies non-compliant with
  privacy laws (2002 study found majority of UK web
  sites non-compliant)

36
Some US privacy laws
The Online Privacy Landscape Solutions

• Bank Secrecy Act, 1970
• Fair Credit Reporting Act, 1971
• Privacy Act, 1974
• Right to Financial Privacy Act, 1978
• Cable TV Privacy Act, 1984
• Video Privacy Protection Act, 1988
• Family Educational Right to Privacy Act, 1993
• Electronic Communications Privacy Act, 1994
• Freedom of Information Act, 1966, 1991, 1996

37
US law recent additions
The Online Privacy Landscape Solutions

• HIPAA (Health Insurance Portability and
  Accountability Act, 1996)
• When implemented, will protect medical records
  and other individually identifiable health
  information
• COPPA (Childrens Online Privacy Protection Act,
  1998)
• Web sites that target children must obtain
  parental consent before collecting personal
  information from children under the age of 13
• GLB (Gramm-Leach-Bliley-Act, 1999)
• Requires privacy policy disclosure and opt-out
  mechanisms from financial service institutions

38
Safe harbor
The Online Privacy Landscape Solutions

• Membership
• US companies self-certify adherance to
  requirements
• Dept. of Commerce maintains signatory list
  http//www.export.gov/safeharbor/
• Signatories must provide
• notice of data collected, purposes, and
  recipients
• choice of opt-out of 3rd-party transfers, opt-in
  for sensitive data
• access rights to delete or edit inaccurate
  information
• security for storage of collected data
• enforcement mechanisms for individual complaints
• Approved July 26, 2000 by EU
• reserves right to renegotiate if remedies for EU
  citizens prove to be inadequate

39
Implications of Directive for web sites
The Online Privacy Landscape Solutions

• European Union Data Directive prohibits secondary
  uses of data without informed consent
• Creating personally-identifiable online profiles
  will have to be opt-in in most cases
• Upfront notice must be given when data is
  collected no web bugs
• No transfer of data to non-EU countries unless
  there is adequate privacy protection

40
Data protection agencies
The Online Privacy Landscape Solutions

• Australia http//www.privacy.gov.au/
• Canada http//www.privcom.gc.ca/
• France http//www.cnil.fr/
• Germany http//www.bfd.bund.de/
• Hong Kong http//www.pco.org.hk/
• Italy http//www.privacy.it/
• Spain http//www.ag-protecciondatos.es/
• Switzerland http//www.edsb.ch/
• UK http//www.dataprotection.gov.uk/
• And many more

41
Software tools
The Online Privacy Landscape Solutions

• Encryption tools prevent others from listening
  in on your communications
• File encryption
• Email encryption
• Encrypted network connections
• Anonymity and pseudonymity tools prevent your
  actions from being linked to you
• Anonymizing proxies
• Mix Networks and similar web anonymity tools
• Anonymous email

• Information and transparency tools make
  informed choices about how your information will
  be used
• Identity management tools
• P3P
• Filters
• Cookie cutters
• Child protection software
• Other tools
• Computer cleaners
• Privacy suites
• Personal firewalls

42
The Anonymizer
The Online Privacy Landscape Solutions
Anonymizer
Client
Server

• Acts as a proxy for users
• Hides information from end servers
• Sees all web traffic
• Adds ads to pages (free service subscription
  service also available)
• http//www.anonymizer.com

43
Mixes Chaum81
The Online Privacy Landscape Solutions
Sender
Destination
Mix C
Mix A
Mix B
Sender routes message randomly through network
of Mixes, using layered public-key encryption.
44
Crowds
The Online Privacy Landscape Solutions

• Users join a Crowd of other users
• Web requests from the crowd cannot be linked to
  any individual
• Protection from
• end servers
• other crowd members
• system administrators
• eavesdroppers
• First system to hide data shadow on the web
  without trusting a central authority
• http//www.research.att.com/projects/crowds/

45
Anonymous email
The Online Privacy Landscape Solutions

• Anonymous remailers allow people to send email
  anonymously
• Similar to anonymous web proxies
• Some can be chained and work like mixes
• http//anon.efga.org/rlist

46
Filters
The Online Privacy Landscape Solutions

• Cookie Cutters
• Block cookies, allow for more fine-grained cookie
  control, etc.
• Some also filter ads, referer header, and browser
  chatter
• http//www.junkbusters.com/ht/en/links.htmlmeasu
  res
• Child Protection Software
• Block the transmission of certain information via
  email, chat rooms, or web forms when child is
  using computer
• Limit who a child can email or chat with
• http//www.getnetwise.org/

47
Privacy tools
The Online Privacy Landscape Solutions
The Internet
Service
User
48
Privacy web sites
The Online Privacy Landscape

• http//www.aclu.org/
• http//www.cdt.org/
• http//www.cpsr.org/
• http//www.consumerprivacyguide.org/
• http//www.eff.org/
• http//www.epic.org/
• http//www.healthprivacy.org/
• http//www.junkbusters.com/
• http//www.privacyalliance.org/
• http//www.pandab.org/
• http//www.privacyexchange.org/

• http//www.vortex.com/privacy.html
• http//www.privacyfoundation.org/
• http//www.privacy.org/pi/
• http//www.privacyjournal.net/
• http//www.understandingprivacy.org/
• http//www.privacy.org/
• http//www.privacyplace.com/
• http//www.privacyrights.org/
• http//www.privacytimes.com/
• http//www.anu.edu.au/people/Roger.Clarke/DV/inde
  x.html
• http//headlines.yahoo.com/Full_Coverage/Tech/Int
  ernet_Privacy/

49
Books
The Online Privacy Landscape

• Web Privacy with P3P by Lorrie Faith Cranor
• Database Nation by Simson Garfinkel
• The Privacy Law Sourcebook 2001 United States
  Law, International Law, and Recent Developments
  by Marc Rotenberg