Student Projects:Privacy Internet:Self Regulation
From CSEP590TU
Outline
- Types of information gathered during Web surfing (just a brief mention since Ted will likely discuss in his section)
- Passive (cookies, clickstream)
- Active (web forms. registration, shipping and payment information)
- Web anonymizers
- How they work. Useful against passive information gathering.
- Degraded web surfing experience. JavaScript exploits
- Anonymizing active information gathering during web site registration?
- Bugmenot.com sufficient for one-time access.
- Lucent Personal Web Assistant (LPWA) for pseudonymous surfing. Useful to maintain an online presence in a virtual community (like a message board) but still protect privacy.
- e-Commerce relies on electronic purchases and delivery of goods.
- Some anonymous payment schemes but none widely used.
- Delivery of physical goods requires physical address.
- Conclude that users must relinquish control over personally identifying information in order to conduct business over the Web and therefore users need some level of trust with a company.
- How they work. Useful against passive information gathering.
- FTC's Fair Information Practices
- Notice, Consent, Access, Participation
- Existing self-regulation approaches do not provide sufficient Notice. Appropriate Notice is required for consent, access, and redress.
- Seal programs
- TrustE, BBBOnline. How does a company obtain a seal?
- Companies must draft policy statement that covers all elements in FIP.
- Limitations
- Nobody is using it (~1500 sites with seals)
- The connectedness of the Web can make it difficult to tell which site you are actually browsing. Frames can hide actual page from being displayed in toolbar.
- Cite privacy survey results. Nobody reads the statements. Conclude that Notice is not being enforced.
- TrustE, BBBOnline. How does a company obtain a seal?
- P3P
- How it works.
- Site operators create machine readable privacy policy. Users define acceptable privacy practices using APPEL. Client tools automatically download web site policies and compare to user profile.
- Some user agent support exists.
- IE6 checks compact policy for cookies. Netscape adds some P3P support as well
- AT&T Privacy Bird
- Limitations
- Low adoption rate (expensive to implement)
- Can't reflect true meaning of the full policy in a P3P policy file. Companies are worried about how legally binding the P3P policies are.
- Simply reflects a site's privacy policy, it doesn't guarantee that the site follows the FIP. Client tools usually default to permissive settings (functionality over privacy). The default settings do not provide adequate Notice.
- How it works.
- Industry isn't adopting either Seals or P3P. What can be done?
- Contextual privacy notices: Users are more willing to share information if they can see tangible benefit (use Kobsa paper)
- Add extension to P3P that allows benefits to user to be displayed in context based on the user's privacy profile.
- What if Microsoft defaults web browser to use more restrictive setting? Given IE's huge market share, sites would be forced to comply.
- Contextual privacy notices: Users are more willing to share information if they can see tangible benefit (use Kobsa paper)
Rough Draft
Available here
[TedZ] Thanks for posting your rough draft, Ryan. I hope to have mine posted sometime tonight (11/30/04). After I get mine posted, I will review and comment on your draft.