Student Projects:Privacy Internet:Self Regulation

Outline

1. Types of information gathered during Web surfing (just a brief mention since Ted will likely discuss in his section)
   1. Passive (cookies, clickstream)
   2. Active (web forms. registration, shipping and payment information)
2. Web anonymizers
   1. How they work. Useful against passive information gathering.
      1. Degraded web surfing experience. JavaScript exploits
   2. Anonymizing active information gathering during web site registration?
      1. Bugmenot.com sufficient for one-time access.
      2. Lucent Personal Web Assistant (LPWA) for pseudonymous surfing. Useful to maintain an online presence in a virtual community (like a message board) but still protect privacy.
   3. e-Commerce relies on electronic purchases and delivery of goods.
      1. Some anonymous payment schemes but none widely used.
      2. Delivery of physical goods requires physical address.
      3. Conclude that users must relinquish control over personally identifying information in order to conduct business over the Web and therefore users need some level of trust with a company.
3. FTC's Fair Information Practices
   1. Notice, Consent, Access, Participation
   2. Existing self-regulation approaches do not provide sufficient Notice. Appropriate Notice is required for consent, access, and redress.
4. Seal programs
   1. TrustE, BBBOnline. How does a company obtain a seal?
      1. Companies must draft policy statement that covers all elements in FIP.
   2. Limitations
      1. Nobody is using it (~1500 sites with seals)
      2. The connectedness of the Web can make it difficult to tell which site you are actually browsing. Frames can hide actual page from being displayed in toolbar.
      3. Cite privacy survey results. Nobody reads the statements. Conclude that Notice is not being enforced.
5. P3P
   1. How it works.
      1. Site operators create machine readable privacy policy. Users define acceptable privacy practices using APPEL. Client tools automatically download web site policies and compare to user profile.
   2. Some user agent support exists.
      1. IE6 checks compact policy for cookies. Netscape adds some P3P support as well
      2. AT&T Privacy Bird
   3. Limitations
      1. Low adoption rate (expensive to implement)
      2. Can't reflect true meaning of the full policy in a P3P policy file. Companies are worried about how legally binding the P3P policies are.
      3. Simply reflects a site's privacy policy, it doesn't guarantee that the site follows the FIP. Client tools usually default to permissive settings (functionality over privacy). The default settings do not provide adequate Notice.
6. Industry isn't adopting either Seals or P3P. What can be done?
   1. Contextual privacy notices: Users are more willing to share information if they can see tangible benefit (use Kobsa paper)
      1. Add extension to P3P that allows benefits to user to be displayed in context based on the user's privacy profile.
      2. What if Microsoft defaults web browser to use more restrictive setting? Given IE's huge market share, sites would be forced to comply.

Rough Draft

Available here

[TedZ] Thanks for posting your rough draft, Ryan. I hope to have mine posted sometime tonight (11/30/04). After I get mine posted, I will review and comment on your draft.