CyLab Usable Privacy and Security Laboratory 1 CyLab Usable Privacy and Security Laboratory ...

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1

CyLab Usable Privacy and Security Laboratoryhttp://cups.cs.cmu.edu/

Introduction to Privacy and P3P

Fall 2009

1


Privacy is hard to define

“Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”

Robert C. Post, Three Concepts of Privacy, 89 Geo. L.J. 2087 (2001).


Britney Spears: “We just need privacy”

“You have to realize that we’re people and that we need, we just need privacy and we need our respect, and those are things that you have to have as a human being.”

— Britney Spears15 June 2006NBC Dateline

http://www.cnn.com/2006/SHOWBIZ/Music/06/15/people.spears.reut/index.html


Only a goldfish can live without privacy…


Some definitions from the academic literature Personhood Intimacy Secrecy Contextual integrity Limited access to the self Control over information

Most relevant to “usable privacy”


Limited access to self

“Being alone.”- Shane (age 4)

1890: “the right to be let alone”- Samuel D. Warren and Louis D. Brandeis, The Right

to Privacy, 4 Harv. L. Rev. 193 (1890)

1980: “our concern overour accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others attention.

- Ruth Gavison, “Privacy and the Limits of the Law,” Yale Law Journal 89 (1980)


Control over information

“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.”“…each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication….”

Alan Westin, Privacy and Freedom, 1967


Realizing limited access and control Limited access

– Laws to prohibit or limit collection, disclosure, contact

– Technology to facilitate anonymous transactions, minimize disclosure

Control– Laws to mandate choice (opt-in/opt-out)– Technology to facilitate informed consent, keep

track of and enforce privacy preferences


Privacy concerns seem inconsistent with behavior People say they want privacy, but don’t always take

steps to protect it Many possible explanations

– They don’t really care that much about privacy– They prefer immediate gratification to privacy protections

that they won’t benefit from until later– They don’t understand the privacy implications of their

behavior– The cost of privacy protection (including figuring out how

to protect their privacy) is too high


Privacy policies

Inform consumers about privacy practices– Consumers can decide whether practices are

acceptable, when to opt-out Most policies require college-level skills to

understand, long, change without notice– Few people read privacy policies

Existing privacy policies are not an effective way to inform consumers or give them privacy controls


Cost of reading privacy policies What would happen if everyone read privacy

policy for each site they visited once each month?

Time = 244/hours year Cost = $3,534/year National opportunity cost for time to read

policies: $781 billion

A. McDonald and L. Cranor. The Cost of Reading Privacy Policis. I/S: A Journal of Law and Policy for the Informaiton Society. 2008 Privacy Year in Review Issue.http://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf


Privacy policy format study Reading-comprehension and opinion questions about privacy policies in

various formats People could accurately answer questions where they could find answer

by scanning or key word– Does Acme use cookies? (98%)

People had trouble with questions that required more reading comprehension– Does this policy allow Acme to put you on an email marketing list? (71%)– Does this policy allow Acme to share your email address with a marketing

company that might put you on their email marketing list? (52%) Even well-written policies are not well-liked and difficult to use Layered notices don’t appear to help much

A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Technologies Symposium 2009. http://lorrie.cranor.org/pubs/authors-version-PETS-formats.pdf


Can we create a better privacy policy?

Easy to understand Fast to find information Easy to compare


Towards a privacy“nutrition label” Standardized format

– People learn where to look for answers to their questions

– Facilitates side-by-side policy comparisons

Standardized language– People learn what the

terminology means Brief

– People can get their questions answered quickly

Linked to extended view– People can drill down and get

more details if needed


Nutrition labelsfor privacy Iterative process Next steps: put it

online and make it interactive

http://cups.cs.cmu.edu/privacyLabel

P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A “Nutrition Label” for Privacy. SOUPS 2009. http://cups.cs.cmu.edu/soups/2009/proceedings/a4-kelley.pdf


Another approach to privacy communication Privacy Finder search engine Checks each search result for

computer-readable P3P privacy policy, evaluates against user’s preferences

Composes search result page with privacy meter annotations and links to “Privacy Report”

Allows people to comparison shop for privacy http://privacyfinder.org/


Demo





Impact of privacy information on decision making Online shopping study conducted at CMU lab Paid participants to make online purchases

with their own credit cards, exposing their own personal information

Participants paid fixed amount and told to keep the change – real tradeoff between money and privacy

Studies demonstrate that when readily accessible and comparable privacy information is presented in search results, many people will pay more for better privacy

J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. WEIS 2007. http://weis2007.econinfosec.org/papers/57.pdf

S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. 2009. Timing is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI2009. http://www.guanotronic.com/~serge/papers/chi09a.pdf

http://privacyfinder.org/


Requirements for meaningful control

Individuals must understand what options they have

Individuals must understand implications of their options

Individuals must have the means to exercise options

Costs must be reasonable– Money, time, convenience, benefits


Location-Based Services

Surveyed 89 location-sharing services– 17% had easily-accessible privacy settings– 12% allowed users to specify rules to share

location with groups of their friends– Only 1 had time- or location-based rules

J. Tsai, P. Kelley, L. Cranor, and N. Sadeh. Locatin-Sharing Technologies: Privacy Risks

and Controls. TPRC 2009. http://cups.cs.cmu.edu/LBSprivacy/


Privacy in a location finding service

http://locaccino.org/


Privacy rules


Feedback


Introduction to the Platform for Privacy Preferences (P3P)


P3P Basics P3P provides a standard XML format that web sites use

to encode their privacy policies Sites also provide XML “policy reference files” to

indicate which policy applies to which part of the site Sites can optionally provide a “compact policy” by

configuring their servers to issue a special P3P header when cookies are set

No special server software required User software to read P3P policies called a “P3P user

agent”– Built into some web browsers– Plug-ins and services, e.g. http://privacyfinder.org/


P3P in Internet Explorer

Privacy icon on status bar indicates that a cookie has been blocked – pop-up appears the first time the privacy icon appears

Automatic processing of compact policies only; third-party cookies without compact policies blocked by default


Users can click on privacy icon forlist of cookies;

privacy summariesare available atsites that are P3P-enabled


Privacy summary report isgenerated automaticallyfrom full P3P policy


Other P3P User Agents

http://privacyfinder.org/

Privacy Nutrition Label


What’s in a P3P policy? Name and contact information for site The kind of access provided Mechanisms for resolving privacy disputes The kinds of data collected How collected data is used, and whether individuals

can opt-in or opt-out of any of these uses Whether/when data may be shared and whether

there is opt-in or opt-out Data retention policy


Assertions in a P3P Policy General assertions

– Location of human-readable policies and opt-out mechanisms – discuri, opturi attributes of <POLICY>

– Indication that policy is for testing only – <TEST> (optional)– Web site contact information – <ENTITY>– Access information – <ACCESS>– Information about dispute resolution – <DISPUTES> (optional)

Data-Specific Assertions– Consequence of providing data – <CONSEQUENCE> (optional)– Indication that no identifiable data is collected –

<NON-IDENTIFIABLE> (optional)– How data will be used – <PURPOSE>– With whom data may be shared – <RECIPIENT>– Whether opt-in and/or opt-out is available – required attribute of <PURPOSE> and

<RECIPIENT>– Data retention policy – <RETENTION>– What kind of data is collected – <DATA>


Web Site Adoption of P3P Ecommerce sites more likely to implement P3P

– 10% of results from typical search terms have P3P– 21% of results from ecommerce search terms have P3P

More popular sites are more likely to implement P3P– 5% of sites in our cache have P3P– 9% of 30K most clicked on domains have P3P– 17% of clicks to 30K most clicked on domains have P3P

Searches frequently return P3P-enabled hits– 83% of searches had at least one P3P-enabled site in top 20 results– 68% of searches had at least one P3P-enabled site in top 10 results

L. Cranor, S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury. P3P Deployment on Websites. Electronic Commerce Research and Applications, 2008


Legal Issues P3P specification does not address legal standing of P3P

policies or include enforcement mechanisms P3P specification requires P3P policies to be consistent with

natural-language privacy policies– P3P policies and natural-language policies are not required to

contain the same level of detail– Typically natural-language policies contain more detailed

explanations of specific practices In some jurisdictions, regulators and courts may treat P3P

policies equivalently to natural language privacy policies The same corporate attorneys and policy makers involved

in drafting natural-language privacy policy should be involved in creating P3P policy


Privacy policy P3P policyDesigned to be read by a human Designed to be read by a computer

Can contain fuzzy language with “wiggle room”

Mostly multiple choice – sites must place themselves in one “bucket” or another

Can include as much or as little information as a site wants

Must include disclosures in every required area

Easy to provide detailed explanations

Limited ability to provide detailed explanations

Sometimes difficult for users to determine boundaries of what it applies to and when it might change

Precisely scoped

Web site controls presentation User agent controls presentation


P3P Deployment Overview Create a privacy policy Analyze the use of cookies and third-party content on

your site Determine whether you want to have one P3P policy

for your entire site or different P3P policies for different parts of your site

Create a P3P policy (or policies) for your site Create a policy reference file for your site Configure your server for P3P Test your site to make sure it is properly P3P enabled

– http://www.w3.org/P3P/validator.html


IBM P3P Policy EditorSites can list the typesof data theycollect

And view the correspondingP3P policy


Internet Explorer Cookie Blocking Default cookie-blocking behavior in Internet Explorer

(version 6, 7, 8)– Block third-party cookies without P3P compact policies– Block third-party cookies with “unsatisfactory” compact policies– IE considers cookies third-party if they come from a different

domain name than the page they are embedded in, even if both domains are owned by same company

IE considers cookies unsatisfactory if– They are associated with PII that is shared or used for

marketing, profiling, or unknown purposes– And no opt-out is available

L. Cranor. Help! IE6 Is Blocking My Cookies. http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html


Engineering privacy


How Privacy Rights are Protected By policy

– Protection through laws and organizational privacy policies

– Must be enforced– Often requires mechanisms to

obtain and record consent– Transparency facilitates choice and

accountability– Technology facilitates compliance

and reduces the need to rely solely on trust and external enforcement

– Technology reduces or eliminates any form of manual processing or intervention by humans

– Violations still possible due to bad actors, mistakes, government mandates

By architecture– Protection through technology– Reduces the need to rely on trust

and external enforcement– Violations only possible if

technology fails or the availability of new data or technology defeats protections

– Often viewed as too expensive or restrictive

• Limits the amount of data available for data mining, R&D, targeting, other business purposes

• May require more complicated system architecture, expensive cryptographic operations

• Pay now or pay later


Privacy stages

identifiabilityApproach to privacy protection

Linkability of data to personal

identifiers

System Characteristics

0 identified privacy by

policy (notice and

choice)

linked

• unique identifiers across databases• contact information stored with profile information

1

pseudonymous

linkable withreasonable & automatable

effort

• no unique identifies across databases• common attributes across databases• contact information stored separately from profile

or transaction information

2privacy

byarchitecture

not linkable with

reasonable

effort

• no unique identifiers across databases• no common attributes across databases• random identifiers• contact information stored separately from profile or transaction information• collection of long term person characteristics on a

low level of granularity• technically enforced deletion of profile details at regular intervals

3 anonymous unlinkable

• no collection of contact information• no collection of long term person characteristics• k-anonymity with large value of k Sa

rah

Spie

kerm

ann

and

Lorr

ie F

aith

Cra

nor.

Engi

neer

ing

Priv

acy.

IEEE

Tra

nsac

tions

on

Soft

war

e En

gine

erin

g. V

o.

35, N

o. 1

, Jan

uary

/Feb

ruar

y, 2

009,

pp.

67-

82. h

ttp:

//ss

rn.c

om/a

bstr

act=

1085

333

Degrees of Identifiability


Cylab Usable Privacy and Security Laboratory

http://cups.cs.cmu.edu/

Date post:	22-Dec-2015
Category:	Documents
View:	226 times
Download:	2 times

CyLab Usable Privacy and Security Laboratory 1 CyLab Usable Privacy and Security Laboratory ...

Documents