Title: Web Privacy with P3P
1Web Privacy with P3P
- Lorrie Faith CranorP3P Specification Working
Group ChairATT Labs-Research - July 2002
http//lorrie.cranor.org/
2Part I The online privacy landscape
2
3Part I The online privacy landscape
Outline
- Web privacy concerns
- Surveys
- How do they get my Data?
- Browser chatter
- Cookies 101
- Online and offline merging
- Subpoenas
- Spyware
- Monitoring devices
- Solutions
- Privacy policies
- Voluntary guidelines
- Seal programs
- Chief privacy officers
- Laws and Regulations
- Software tools
- Software tools
4Web privacy concerns
The Online Privacy Landscape Privacy concerns
- Data is often collected silently
- Web allows large quantities of data to be
collected inexpensively and unobtrusively - Data from multiple sources may be merged
- Non-identifiable information can become
identifiable when merged - Data collected for business purposes may be used
in civil and criminal proceedings - Users given no meaningful choice
- Few sites offer alternatives
5Privacy surveys find concerns
The Online Privacy Landscape Privacy concerns
- Increasingly people say they are concerned about
online privacy (80-90 of US Net users) - Improved privacy protection is factor most likely
to persuade non-Net users to go online - 27 of US Net users have abandoned online
shopping carts due to privacy concerns - 64 of US Net users decided not to use a web site
or make an online purchase due to privacy
concerns - 34 of US Net users who do not buy online would
buy online if they didnt have privacy concerns
6Beyond concern
The Online Privacy Landscape Privacy concerns
- April 1999 Study Beyond ConcernUnderstanding
Net Users' Attitudes About Online Privacy by
Cranor, Ackerman and Reagle (US panel results
reported) - http//www.research.att.com/projects/privacystud
y/ - Internet users more likely to provide info when
they are not identified - Some types of data more sensitive than others
- Many factors important in decisions about
information disclosure - Acceptance of persistent identifiers varies
according to purpose - Internet users dislike automatic data transfer
7Few read privacy policies
The Online Privacy Landscape Privacy concerns
- 3 review online privacy policies carefully most
of the time - Most likely to review policy before providing
credit card info - Policies too time consuming to read and difficult
to understand - 70 would prefer standard privacy policy format
- Most interested in knowing about data sharing and
how to get off marketing lists - People are more comfortable at sites that have
privacy policies, even if they dont read them
8Survey references
The Online Privacy Landscape Privacy concerns
- Mark S. Ackerman, Lorrie Faith Cranor and Joseph
Reagle, Beyond Concern Understanding Net Users
Attitudes About Online Privacy, (ATT Labs, April
1999), http//www.research.att.com/projects/privac
ystudy/ - Mary J. Culnan and George R. Milne, The
Culnan-Milne Survey on Consumers Online Privacy
Notices Summary of Responses, (December 2001),
http//www.ftc.gov/bcp/workshops/glb/supporting/cu
lnan-milne.pdf. - Cyber Dialogue, Cyber Dialogue Survey Data
Reveals Lost Revenue for Retailers Due to
Widespread Consumer Privacy Concerns, (Cyber
Dialogue, November 7, 2001), http//www.cyberdialo
gue.com/news/releases/2001/11-07-uco-retail.html. - Forrester Research, Privacy Issues Inhibit Online
Spending, (Forrester, October 3, 2001). - Louis Harris Associates and Alan F. Westin,
Commerce, Communication and Privacy Online (Louis
Harris Associates, 1997), http//www.privacyexch
ange.org/iss/surveys/computersurvey97.html - Louis Harris Associates and Alan F. Westin.
E-Commerce and Privacy, What Net Users Want,
(Sponsored by Price Waterhouse and Privacy
American Business. P AB, June 1998).
http//www.privacyexchange.org/iss/surveys/ecommsu
m.html - Opinion Research Corporation and Alan F. Westin.
Freebies and Privacy What Net Users Think.
Sponsored by Privacy American Business. P AB,
July 1999. http//www.privacyexchange.org/iss/surv
eys/sr990714.html - Privacy Leadership Initiative, Privacy Notices
Research Final Results, (Conducted by Harris
Interactive, December 2001), http//www.ftc.gov/bc
p/workshops/glb/supporting/harris20results.pdf - An extensive list of privacy surveys from around
the world is available from http//www.privacyexch
ange.org/iss/surveys/surveys.html.
9Browser Chatter
The Online Privacy Landscape How do they get my
data?
- Browsers chatter about
- IP address, domain name, organization,
- Referring page
- Platform O/S, browser
- What information is requested
- URLs and search terms
- Cookies
- To anyone who might be listening
- End servers
- System administrators
- Internet Service Providers
- Other third parties
- Advertising networks
- Anyone who might subpoena log files later
10Typical HTTP request with cookie
The Online Privacy Landscape How do they get my
data?
- GET /retail/searchresults.asp?qubeer HTTP/1.0
- Referer http//www.us.buy.com/default.asp
- User-Agent Mozilla/4.75 en (X11 U NetBSD
1.5_ALPHA i386) - Host www.us.buy.com
- Accept image/gif, image/jpeg, image/pjpeg, /
- Accept-Language en
- Cookie buycountryus dcLocNameBasket
dcCatID6773 dcLocID6773 dcAdbuybasket loc
parentLocNameBasket parentLoc6773
ShopperManager2FShopperManager2F66FUQULL0QBT8M
MTVSC5MMNKBJFWDVH7 Store107 Category0
11Referer log problems
The Online Privacy Landscape How do they get my
data?
- GET methods result in values in URL
- These URLs are sent in the referer header to next
host - Example
- http//www.merchant.com/cgi_bin/order?nameTomJon
esaddressheretherecreditcard234876923234PIN
1234-gtindex.html
12Cookies 101
The Online Privacy Landscape How do they get my
data?
- Cookies can be useful
- Used like a staple to attach multiple parts of a
form together - Used to identify you when you return to a web
site so you dont have to remember a password - Used to help web sites understand how people use
them - Cookies can do unexpected things
- Used to profile users and track their activities,
especially across web sites
13How cookies work the basics
The Online Privacy Landscape How do they get my
data?
- A cookie stores a small string of characters
- A web site asks your browser to set a cookie
- Whenever you return to that site your browser
sends the cookie back automatically
Please store cookie xyzzy
Here is cookie xyzzy
browser
site
browser
site
First visit to site
Later visits
14How cookies work advanced
The Online Privacy Landscape How do they get my
data?
- Cookies are only sent back to the site that set
them but this may be any host in domain - Sites setting cookies indicate path, domain, and
expiration for cookies
- Cookies can store user info or a database key
that is used to look up user info either way
the cookie enables info to be linked to the
current browsing session
Send me with requests for index.html on y.x.com
for this session only
Send me with any request to x.com until 2008
DatabaseUsers Email Visits
UserJoe EmailJoe_at_x.com Visits13
User4576904309
15Cookie terminology
The Online Privacy Landscape How do they get my
data?
- Cookie Replay sending a cookie back to a site
- Session cookie cookie replayed only during
current browsing session - Persistent cookie cookie replayed until
expiration date - First-party cookie cookie associated with the
site the user requested - Third-party cookie cookie associated with an
image, ad, frame, or other content from a site
with a different domain name that is embedded in
the site the user requested - Browser interprets third-party cookie based on
domain name, even if both domains are owned by
the same company
16Web bugs
The Online Privacy Landscape How do they get my
data?
- Invisible images (1-by-1 pixels, transparent)
embedded in web pages and cause referer info and
cookies to be transferred - Also called web beacons, clear gifs, tracker
gifs,etc. - Work just like banner ads from ad networks, but
you cant see them unless you look at the code
behind a web page - Also embedded in HTML formatted email messages,
MS Word documents, etc. - For more info on web bugs see http//www.privacyf
oundation.org/resources/webbug.asp - For software to detect web bugs see
http//www.bugnosis.org
17How data can be linked
The Online Privacy Landscape How do they get my
data?
- Every time the same cookie is replayed to a site,
the site may add information to the record
associated with that cookie - Number of times you visit a link, time, date
- What page you visit
- What page you visited last
- Information you type into a web form
- If multiple cookies are replayed together, they
are usually logged together, effectively linking
their data - Narrow scoped cookie might get logged with broad
scoped cookie
18Ad networks
The Online Privacy Landscape How do they get my
data?
Ad companycan get yourname and address fromCD
order andlink them to your search
Search Service
CD Store
19What ad networks may know
The Online Privacy Landscape How do they get my
data?
- Personal data
- Email address
- Full name
- Mailing address (street, city, state, and Zip
code) - Phone number
- Transactional data
- Details of plane trips
- Search phrases used at search engines
- Health conditions
It was not necessary for me to click on the
banner ads for information to be sent to
DoubleClick servers. Richard M. Smith
20Online and offline merging
The Online Privacy Landscape How do they get my
data?
- In November 1999, DoubleClick purchased Abacus
Direct, a company possessing detailed consumer
profiles on more than 90 of US households. - In mid-February 2000 DoubleClick announced plans
to merge anonymous online data with personal
information obtained from offline databases - By the first week in March 2000 the plans were
put on hold - Stock dropped from 125 (12/99) to 80 (03/00)
21Offline data goes online
The Online Privacy Landscape How do they get my
data?
The Cranor familys 25 most frequentgrocerypurc
hases (sorted by nutritional value)!
22Subpoenas
The Online Privacy Landscape How do they get my
data?
- Data on online activities is increasingly of
interest in civil and criminal cases - The only way to avoid subpoenas is to not have
data - In the US, your files on your computer in your
home have much greater legal protection that your
files stored on a server on the network
23Spyware
The Online Privacy Landscape How do they get my
data?
- Spyware Software that employs a user's Internet
connection, without their knowledge or explicit
permission, to collect information - Most products use pseudonymous, but unique ID
- Over 800 known freeware and shareware products
contain Spyware, for example - Beeline Search Utility
- GoZilla Download Manager
- Comet Cursor
- Often difficult to uninstall!
- Anti-Spyware Sites
- http//grc.com/oo/spyware.htm
- http//www.adcop.org/smallfish
- http//www.spychecker.com
- http//cexx.org/adware.htm
24Devices that monitor you
The Online Privacy Landscape How do they get my
data?
Creative Labs Nomad JukeBox Music transfer
software reportsall uploads to Creative
Labs. http//www.nomadworld.com
Sony eMarker Lets you figure out the artitst and
title of songs you hear on the radio. And keeps a
personal log of all the music you like on the
emarker Web site. http//www.emarker.com
Sportbrain Monitors daily workout. Customphone
cradle uploads data to company Web site for
analysis. http//www.sportbrain.com/
CueCat Keeps personal log of advertisements
youre interested in. http//www.crq.com/cuecat.h
tml
See http//www.privacyfoundation.org/
25Some solutions
The Online Privacy Landscape Solutions
- Privacy policies
- Voluntary guidelines and codes of conduct
- Seal programs
- Chief privacy officers
- Laws and regulations
- Software tools
26Privacy policies
The Online Privacy Landscape Solutions
- Policies let consumers know about sites privacy
practices - Consumers can then decide whether or not
practices are acceptable, when to opt-in or
opt-out, and who to do business with - The presence or privacy policies increases
consumer trust
27Privacy policy problems
The Online Privacy Landscape Solutions
- BUT policies are often
- difficult to understand
- hard to find
- take a long time to read
- change without notice
28Voluntary guidelines
The Online Privacy Landscape Solutions
- Online Privacy Alliancehttp//www.privacyalliance
.org - Direct Marketing Association Privacy Promise
http//www.thedma.org/library/privacy/privacyprom
ise.shtml - Network Advertising Initiative Principles
http//www.networkadvertising.org/
29OECD fair information principles
The Online Privacy Landscape Solutions
- http//www.oecd.org/dsti/sti/it/secur/prod/PRIV-e
n.HTM - Collection limitation
- Data quality
- Purpose specification
- Use limitation
- Security safeguards
- Openness
- Individual participation
- Accountability
30Simplified principles
The Online Privacy Landscape Solutions
- Notice and disclosure
- Choice and consent
- Data security
- Data quality and access
- Recourse and remedies
- US Federal Trade Commission, Privacy Online A
Report to Congress (June 1998),
http//www.ftc.gov/reports/privacy3/
31Seal programs
The Online Privacy Landscape Solutions
- TRUSTe http//www.truste.org
- BBBOnline http//www.bbbonline.org
- CPA WebTrust http//www.cpawebtrust.org/
- Japanese Privacy Mark http//www.jipdec.or.jp/secu
rity/privacy/
32Seal program problems
The Online Privacy Landscape Solutions
- Certify only compliance with stated policy
- Limited ability to detect non-compliance
- Minimal privacy requirements
- Dont address privacy issues that go beyond the
web site - Nonetheless, reporting requirements are forcing
licensees to review their own policies and
practices and think carefully before introducing
policy changes
33The Online Privacy Landscape Solutions
34Chief privacy officers
The Online Privacy Landscape Solutions
- Companies are increasingly appointing CPOs to
have a central point of contact for privacy
concerns - Role of CPO varies in each company
- Draft privacy policy
- Respond to customer concerns
- Educate employees about company privacy policy
- Review new products and services for compliance
with privacy policy - Develop new initiatives to keep company out front
on privacy issue - Monitor pending privacy legislation
35Laws and regulations
The Online Privacy Landscape Solutions
- Privacy laws and regulations vary widely
throughout the world - US has mostly sector-specific laws, with
relatively minimal protections - Federal Trade Commission has jurisdiction over
fraud and deceptive practices - Federal Communications Commission regulates
telecommunications - European Data Protection Directive requires all
European Union countries to adopt similar
comprehensive privacy laws - Privacy commissions in each country (some
countries have national and state commissions) - Many European companies non-compliant with
privacy laws (2002 study found majority of UK web
sites non-compliant)
36Some US privacy laws
The Online Privacy Landscape Solutions
- Bank Secrecy Act, 1970
- Fair Credit Reporting Act, 1971
- Privacy Act, 1974
- Right to Financial Privacy Act, 1978
- Cable TV Privacy Act, 1984
- Video Privacy Protection Act, 1988
- Family Educational Right to Privacy Act, 1993
- Electronic Communications Privacy Act, 1994
- Freedom of Information Act, 1966, 1991, 1996
37US law recent additions
The Online Privacy Landscape Solutions
- HIPAA (Health Insurance Portability and
Accountability Act, 1996) - When implemented, will protect medical records
and other individually identifiable health
information - COPPA (Childrens Online Privacy Protection Act,
1998) - Web sites that target children must obtain
parental consent before collecting personal
information from children under the age of 13 - GLB (Gramm-Leach-Bliley-Act, 1999)
- Requires privacy policy disclosure and opt-out
mechanisms from financial service institutions
38Safe harbor
The Online Privacy Landscape Solutions
- Membership
- US companies self-certify adherance to
requirements - Dept. of Commerce maintains signatory list
http//www.export.gov/safeharbor/ - Signatories must provide
- notice of data collected, purposes, and
recipients - choice of opt-out of 3rd-party transfers, opt-in
for sensitive data - access rights to delete or edit inaccurate
information - security for storage of collected data
- enforcement mechanisms for individual complaints
- Approved July 26, 2000 by EU
- reserves right to renegotiate if remedies for EU
citizens prove to be inadequate
39Implications of Directive for web sites
The Online Privacy Landscape Solutions
- European Union Data Directive prohibits secondary
uses of data without informed consent - Creating personally-identifiable online profiles
will have to be opt-in in most cases - Upfront notice must be given when data is
collected no web bugs - No transfer of data to non-EU countries unless
there is adequate privacy protection
40Data protection agencies
The Online Privacy Landscape Solutions
- Australia http//www.privacy.gov.au/
- Canada http//www.privcom.gc.ca/
- France http//www.cnil.fr/
- Germany http//www.bfd.bund.de/
- Hong Kong http//www.pco.org.hk/
- Italy http//www.privacy.it/
- Spain http//www.ag-protecciondatos.es/
- Switzerland http//www.edsb.ch/
- UK http//www.dataprotection.gov.uk/
- And many more
41Software tools
The Online Privacy Landscape Solutions
- Encryption tools prevent others from listening
in on your communications - File encryption
- Email encryption
- Encrypted network connections
- Anonymity and pseudonymity tools prevent your
actions from being linked to you - Anonymizing proxies
- Mix Networks and similar web anonymity tools
- Anonymous email
- Information and transparency tools make
informed choices about how your information will
be used - Identity management tools
- P3P
- Filters
- Cookie cutters
- Child protection software
- Other tools
- Computer cleaners
- Privacy suites
- Personal firewalls
42The Anonymizer
The Online Privacy Landscape Solutions
Anonymizer
Client
Server
- Acts as a proxy for users
- Hides information from end servers
- Sees all web traffic
- Adds ads to pages (free service subscription
service also available) - http//www.anonymizer.com
43Mixes Chaum81
The Online Privacy Landscape Solutions
Sender
Destination
Mix C
Mix A
Mix B
Sender routes message randomly through network
of Mixes, using layered public-key encryption.
44Crowds
The Online Privacy Landscape Solutions
- Users join a Crowd of other users
- Web requests from the crowd cannot be linked to
any individual - Protection from
- end servers
- other crowd members
- system administrators
- eavesdroppers
- First system to hide data shadow on the web
without trusting a central authority - http//www.research.att.com/projects/crowds/
45Anonymous email
The Online Privacy Landscape Solutions
- Anonymous remailers allow people to send email
anonymously - Similar to anonymous web proxies
- Some can be chained and work like mixes
- http//anon.efga.org/rlist
46Filters
The Online Privacy Landscape Solutions
- Cookie Cutters
- Block cookies, allow for more fine-grained cookie
control, etc. - Some also filter ads, referer header, and browser
chatter - http//www.junkbusters.com/ht/en/links.htmlmeasu
res - Child Protection Software
- Block the transmission of certain information via
email, chat rooms, or web forms when child is
using computer - Limit who a child can email or chat with
- http//www.getnetwise.org/
47Privacy tools
The Online Privacy Landscape Solutions
The Internet
Service
User
48Privacy web sites
The Online Privacy Landscape
- http//www.aclu.org/
- http//www.cdt.org/
- http//www.cpsr.org/
- http//www.consumerprivacyguide.org/
- http//www.eff.org/
- http//www.epic.org/
- http//www.healthprivacy.org/
- http//www.junkbusters.com/
- http//www.privacyalliance.org/
- http//www.pandab.org/
- http//www.privacyexchange.org/
- http//www.vortex.com/privacy.html
- http//www.privacyfoundation.org/
- http//www.privacy.org/pi/
- http//www.privacyjournal.net/
- http//www.understandingprivacy.org/
- http//www.privacy.org/
- http//www.privacyplace.com/
- http//www.privacyrights.org/
- http//www.privacytimes.com/
- http//www.anu.edu.au/people/Roger.Clarke/DV/inde
x.html - http//headlines.yahoo.com/Full_Coverage/Tech/Int
ernet_Privacy/
49Books
The Online Privacy Landscape
- Web Privacy with P3P by Lorrie Faith Cranor
- Database Nation by Simson Garfinkel
- The Privacy Law Sourcebook 2001 United States
Law, International Law, and Recent Developments
by Marc Rotenberg