Privacy Online

1
Privacy Online

• Jane Turk, Ph.D.
• CIS 610
• Summer 2003

2
Outline

• background perspectives
• surveys of current Internet use
• childrens online privacy
• consumer online privacy
• possible solution routes

3
Business Perspective

• Direct Marketing gt 176 billion a year
• over 10,000 compiled publicly traded databases
  on market today
• private databases, with little or no regulation
  except in financial industry
• ability to capture info about users on Web
• target marketing

4
Privacy Perspective

• protecting privacy of consumer info is very
  important to consumers
• consumers dont know scope of data maintained on
  them
• strong privacy standards
• develop trust in users
• encourage development of online commerce

5
Major Concerns of Consumers

• companies they patronize will provide their
  information to other companies without their
  permission (75)
• their transactions may not be secure (70)
• hackers will steal their personal data (69)
• source Harris survey, Nov 2001

6
Most Important Elements to be Verified

• security measures are adequate (90)
• company does not release customer personal data
  without permission (89)
• access within the company is limited (84)
• company is only collecting info that its privacy
  policies dictate (84)
• info use or sharing follows stated privacy
  policies (81) source Harris survey, Nov 2001

7
Suggested Remedy

• verify privacy policy by a third party (and 91
  would do more business)
• online seal of approval does not necessarily
  verify
• BBBOnLine and Truste
• audit by major accounting firm
• PricewaterhouseCoopers source Harris survey,
  Nov 2001

8
Fair Information Principles

• consumers be given
• notice of entitys info practices
• choice/consent with respect to secondary use
  dissemination of info collected from or about
  them
• access to info about them
• collector assure security integrity of info
• provide enforcement mechanism

9
Public Records Online

• NYC voter registration site
• NJ info on those licensed by state
• registries of sex offenders
• federal judges recommendation to put most civil
  proceedings online but to restrict criminal
  proceedings
• good source www.epic.org/privacy/publicrecords

10
Childrens Privacy

• Federal Trade Commission
• children are avid consumers and influence
  spending
• information collection targets are ages 8-11
• business goal microtarget individual child
• CME 1996 study exposed the issues

11
FTC Kids Privacy Surf Day

• snapshot, not comprehensive survey
• 126 sites listed by Yahooligans!
• results announced Dec 1997
• 86 of sites surveyed were collecting personally
  identifiable info on children
• fewer than 30 of sites had privacy policy
• another review March 1998

12
FTC 1998 Report Childrens Sites

• of 212 sites directed at children
• 89 collect personally identifiable info directly
  from children
• 54 disclose info collection practices
• fewer than 10 provide for some form of parental
  control

13
Childrens Online Privacy Protection Act (1998)

• parental consent required for collection, use,
  disclosure of personal information from children
  under 13
• parents may prevent further use or collection
• parents may review information

14
Privacy Journal Recommendations

• parent
• approve kids giving email address
• totally involved in kids giving physical address
• order products in parents name
• kid
• can use (false) nickname
• never use name and address to buy

15
Annenberg 2000 Study

• 29 of parents would give identifying info in
  exchange for a free gift worth 100
• 45 of kids ages 10-17 would
• 39 of girls, 54 of boys
• parents need help

16
Cookies

• passive files stored on hard drives of Netscape
  Microsoft IE users
• store a customer ID number for site/network
• used by online advertisers to track a users
  movements
• profiling, preferences
• issue transparency

17
Why Cookies?

• HTTP is stateless keeps no information from a
  connection
• with cookies, a Web page can remember you from
  your last visit
• enable much of interactivity
• customization, shopping baskets

18
Online Profiling How and Where

• cookies, web bugs, URLs, info you provide
• anonymous, unless you identify yourself
• in customer database of the site/network
• pages/sites visited
• DoubleClick tracks movement on 1500 sites

19
Online Profiling Pros and Cons

• deliver desired content to user
• provide information about interests of individual
• aggregate info about site
• info collected often without knowledge or consent

20
Spyware

• conducts surveillance on a computer
• usually placed without knowledge or consent of
  computer owner
• violates basic FIPS
• e.g., phone home programs, Web bugs, home web
  monitoring

21
Web Bugs

• clear GIFs, embedded images
• transmit info when page is viewed where, when
• designed to monitor who is viewing page
• e.g., HTML mail
• recent SW enables detection

22
The Net NEVER Forgets

• Internet Archive scoops up the Web
• postings to Usenet groups are saved in Deja News
• now http//groups.google.com
• posts to email forums and chat services are
  searchable
• public record

23
Costs to Business of Not Protecting Privacy

• sales lost may be 18 billion
• older business models may be less effective than
  privacy-friendly models
• lost opportunities and higher costs for imported
  personal data
• safe harbor includes complying with FIPS
• source Robert Gellman, Privacy, Consumers, and
  Costs

24
Costs to Consumers When Privacy Is Not Protected

• higher prices
• stopping junk mail and telemarketing calls
• avoiding identity theft
• protecting privacy on the Internet
• source Robert Gellman, Privacy, Consumers, and
  Costs

25
Solution Routes

• education, including
• fair information principles
• best business practices
• industry self-regulation
• technology
• legislation

26
Industry Self-Regulation for privacy

• depends on posted privacy policies
• coming integrated suites of tools
• online privacy seal programs
• e.g., TRUSTe, BBBOnLine
• implement some FIPS and monitor compliance
• public audit of privacy policies
• e.g., www.thedailyapple.com

27
FTC Action Against Toysmart

• privacy policy promised never to divulge customer
  information
• certified by TRUSTe
• FTC could intervene
• bankrupt company advertised databases and
  customer lists for sale
• FTC sued to prevent sale of customer info

28
Privacy Enhancing Technologies (PETs)

• seek to eliminate use of personal data from
  transactions or give direct control for
  disclosure of personal information to individual
  concerned
• standard format for ratings systems Platform
  for Internet Content Selection
• machine-to-machine protocol for data exchange
  P3P (Platform for Privacy Preferences)
• anonymous use

29
Proposed Online Personal Privacy Act (S. 2201 in
107th)

• opt-in for sensitive personally identifiable info
• opt-out for less sensitive info
• follows most FIPS
• preempts state legislation on online privacy

30
Sources

• Adkinson, William et al. Privacy Online A
  report on the information practices and policies
  of commercial web sites, March 2002. The
  Progress and Freedom Foundation.
• Center for Democracy and Technology. Guide to
  Online Privacy, http//www.cdt.org/privacy/guide
  /introduction/
• Electronic Privacy Information Center. "Surfer
  Beware III Privacy Policies Without Privacy
  Protection." Dec. 1999 lthttp//www.epic.org/repo
  rts/surfer-beware3.htmlgt

31

• Federal Trade Commission. Privacy Online Fair
  Information Practices in the Electronic
  Marketplace, May 2000, www.ftc.gov/reports/privac
  y2000/privacy2000.pdf
• Gellman, Robert. Privacy, Consumers, and Costs
  how the lack of privacy costs consumers and why
  business studies of privacy costs are biased and
  incomplete, March 2002. www.epic.org/reports/dmf
  privacy.html

32

• Goldman, Janlori and Zoe Hudson and Richard M.
  Smith. Privacy Report on the Privacy Policies
  and practices of Health Web Sites. Sponsored by
  California HealthCare Foundation, January 2000,
  http//admin.chcf.org/documents/ehealth/privacyweb
  report.pdf
• Pew Internet and American Life Project. Trust
  and Privacy Online Why Americans Want to
  Rewrite the Rules, Aug 2000, www.pewinternet.org/
  reports/pdfs/PIP_Trust_Privacy_Report.pdf