Post on 13-Jan-2016
description
CMU Usable Privacy and SecurityLaboratory
http://cups.cs.cmu.edu/
Power Strips, Power Strips, Prophylactics, and Prophylactics, and Privacy, Oh My!Privacy, Oh My!
Julia Gideon, Serge Egelman,
Lorrie Cranor, and Alessandro Acquisti
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Privacy Good!Privacy Good! Users claim to value privacyUsers claim to value privacy
More and more are concernedMore and more are concerned
Top concernsTop concerns• Insecure transactions
• Data sharing
• Theft of data
Lost revenueLost revenue• By 2006, $24.5B lost (Juniper Research, 2002)
More online shopping with privacy guaranteesMore online shopping with privacy guarantees
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Privacy PoliciesPrivacy Policies Users like noticesUsers like notices• In theory…
Rapid adoptionRapid adoption
ProblemsProblems•Comprehension
•Hard to find
•Lengthy
•Subject to changing without notice
There must be a better way!There must be a better way!
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Platform for Privacy Platform for Privacy Preferences Project (P3P)Preferences Project (P3P)
Developed by the World Wide Web Consortium (W3C) Developed by the World Wide Web Consortium (W3C) http://www.w3.org/p3p/http://www.w3.org/p3p/• Final P3P1.0 Recommendation issued 16 April 2002
Offers an easy way for web sites to communicate about Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable their privacy policies in a standard machine-readable formatformat• Can be deployed using existing web servers
Enables the development of tools (built into browsers or Enables the development of tools (built into browsers or separate applications) thatseparate applications) that• Summarize privacy policies• Compare policies with user preferences• Alert and advise users
P3P support built into IE6 and Netscape 7P3P support built into IE6 and Netscape 7
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Privacy BirdPrivacy Bird Free download of beta from Free download of beta from http://privacybird.com/http://privacybird.com/• Originally developed at AT&T Labs
• Released as open source
““Browser helper object” for IE6Browser helper object” for IE6
Reads P3P policies at all Reads P3P policies at all P3P-enabled sites automaticallyP3P-enabled sites automatically
Bird icon at top of browser window indicates whether site Bird icon at top of browser window indicates whether site matches user’s privacy preferencesmatches user’s privacy preferences
Clicking on bird icon gives more informationClicking on bird icon gives more information
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Chirping bird is privacy indicator
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Red bird indicates mismatch
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Privacy settingsPrivacy settings
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Why can’t somebody else do Why can’t somebody else do it?it?
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Privacy FinderPrivacy Finder Prototype developed at AT&T Labs, Prototype developed at AT&T Labs,
improved and deployed by CUPSimproved and deployed by CUPS
Multiple search APIsMultiple search APIs
Locates P3P policiesLocates P3P policies
Compares with user’s preferencesCompares with user’s preferences
Reorders annotated search resultsReorders annotated search results
Users can retrieve “Privacy Report” similar Users can retrieve “Privacy Report” similar to Privacy Bird policy summaryto Privacy Bird policy summary
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
But Is It Useful?But Is It Useful? Do users care about web site privacy?Do users care about web site privacy?
Have enough web sites adopted P3P that Have enough web sites adopted P3P that typical search results contain sites with typical search results contain sites with P3P policies?P3P policies?•Do users have meaningful choices among
privacy policies?
Do users understand information provided Do users understand information provided by Privacy Finder?by Privacy Finder?
Does Privacy Finder influence online Does Privacy Finder influence online purchasing decisions?purchasing decisions?
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Let’s Find Out!Let’s Find Out! Observe purchase decisionsObserve purchase decisions
SurveysSurveys• 5 Point Likert
Between groupsBetween groups• 24 Participants
• “Shopping Finder”
• Static pages
Multiple productsMultiple products
No price incentiveNo price incentive
Shipping optionShipping option
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Privacy PreferencesPrivacy Preferences•Data sharing
Financial (100% opposed) Medical (92% opposed) Non-personal information (33% opposed)
•Opt-out (96% opposed)
•Access (96% favor)
•Marketing Telephone (92% opposed) Email/Postal (88% opposed)
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Medium Preference LevelMedium Preference Level Warn when…Warn when…
• Site collects health or medical information for analysis or marketing.
• Site shares health or medical information with others.
• Site shares financial information with others.
• Site does not allow me to opt-out from marketing lists.
• Sites shares personally identifiable information with others.
• Sites does not allow me to see the information collected on me.
But do their actions follow?But do their actions follow?
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
ResultsResults ……not reallynot really
0123456789
Control:Power Strips
Experimental:Power Strips
Control:Condoms
Experimental:Condoms
GreenRedNone
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
ResultsResults Acting on privacy concernsActing on privacy concerns
• Privacy Finder helps
Green bird purchasesGreen bird purchases• Condoms
Experimental: 8/12 Control: 2/12
• Power strips Experimental: 4/12 Control: 1/12
Red bird purchasesRed bird purchases• Condoms
Experimental: 1/12 Control: 7/12
• Power strips Experimental: 2/12 Control: 2/12
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
ResultsResults Product privacy concernsProduct privacy concerns•Condoms (p < 0.025)
•Power strips (not significant)
Price *may* matterPrice *may* matter•Lower prices in control group
•Condoms: $13.96 vs. $12.63
•Power strips: $17.04 vs. $16.47
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Exit SurveyExit Survey More concerns with condoms (p < 0.008)More concerns with condoms (p < 0.008)•Discreet packaging
•Credit statement
•Order history
Group differencesGroup differences•Data security (experimental: 50%, control: 0)
•Misunderstood symbols 50% thought green bird means encryption
•Experimental concerns addressed by P3P
•90% said bird influenced decision
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Privacy InformationPrivacy Information Privacy ReportsPrivacy Reports
• Four read them• Four could not find them• Three were not interested
Privacy PoliciesPrivacy Policies• One third read them• Two read Privacy Report but not policy
Trusted Privacy Finder
BirdsBirds• Five avoided red birds• False trust
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Limitations & Future WorkLimitations & Future Work More control neededMore control needed•Evenly distributed birds
•Trust icons for both groups
Click logsClick logs
Price informationPrice information• Incentives
•Result order
Trust iconTrust icon•Boxes vs. birds
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Privacy FinderPrivacy Finder
http://search.privacybird.com/
CMU Usable Privacy and Security Laboratory
http://cups.cs.cmu.edu/