Developing Online Developing Online Privacy StandardsPrivacy Standards

A View From the TrenchesA View From the Trenches

Lorrie Faith CranorAT&T Labs-Research

http://lorrie.cranor.org/

2

OutlineOutlineOnline privacy concerns

Introduction to P3P

P3P implementations

So why did it take so long?

3

Cathy January 21, 2001

4

Online privacy – key Online privacy – key concernsconcerns

Data is often collected silentlyWeb allows lots of data to be collected easily,

cheaply, unobtrusively and automaticallyIndividuals not given meaningful choiceIndividuals don’t know what data is being collected

or how it is being used, and often assume the worst

Data from many sources may be mergedEven non-identifiable data can become identifiable

when merged

Data collected for business purposes may be used in civil and criminal proceedings

5

Some solutionsSome solutionsPrivacy policies

Voluntary guidelines and codes of conduct

Seal programs

Chief privacy officers

Laws and regulations

Software tools

6

Privacy policiesPrivacy policies Policies let consumers know about site’s

privacy practices

Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with

The presence or privacy policies increases consumer trust

BUT policies are often difficult to understand, hard to find, and take a long time to read

Many policies are changed frequently without notice

7

Voluntary guidelinesVoluntary guidelinesOnline Privacy Alliancehttp://www.privacyalliance.org

Direct Marketing Association Privacy Promise http://www.thedma.org/library/privacy/privacypromise.shtml

Network Advertising Initiative Principles http://www.networkadvertising.org/

8

OECD fair information OECD fair information principlesprinciples

http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM

Collection limitation

Data quality

Purpose specification

Use limitation

Security safeguards

Openness

Individual participation

Accountability

9

Simplified principlesSimplified principlesNotice and disclosure

Choice and consent

Data security

Data quality and access

Recourse and remedies

10

Seal ProgramsSeal Programs TRUSTe – http://www.truste.org

BBBOnline – http://www.bbbonline.org

CPA WebTrust – http://www.cpawebtrust.org/

Japanese Privacy Mark http://www.jipdec.or.jp/security/privacy/

11

12

Chief Privacy OfficersChief Privacy Officers Companies are increasingly

appointing CPOs to have a central point of contact for privacy concerns

Role of CPO varies in each companyDraft privacy policyRespond to customer concernsEducate employees about company privacy

policyReview new products and services for

compliance with privacy policyDevelop new initiatives to keep company out

front on privacy issueMonitor pending privacy legislation

13

Laws and regulationsLaws and regulations Privacy laws and regulations vary widely

throughout the world

US has mostly sector-specific laws, with relatively minimal protections Federal Trade Commission has jurisdiction over fraud and

deceptive practices Federal Communications Commission regulates

telecommunications

European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws Privacy commissions in each country (some countries

have national and state commissions)

14

Software toolsSoftware tools Anonymity and

pseudonymity tools Anonymizing proxies Mix Networks and

similar web anonymity tools

Onion routingCrowdsFreedom

Anonymous email

Encryption tools File encryption Email encryption Encrypted network

connections

Filters Cookie cutters Child protection

software

Information and transparency tools Identity management

tools P3P

Other tools Privacy-friendly search

engines Computer “cleaners” Tools to facilitate access

15

Platform for Privacy Preferences Project Platform for Privacy Preferences Project (P3P)(P3P)

Developed by the World Wide Web Consortium (W3C) http://www.w3.org/p3p/

Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable formatCan be deployed using existing web servers

This will enable the development of tools (built into browsers or separate applications) that:Provide snapshots of sites’ policiesCompare policies with user preferencesAlert and advise the user

16

P3P is part of the solutionP3P is part of the solutionP3P1.0 helps users understand privacy

policies but is not a complete solution

Seal programs and regulations help ensure that sites comply with their policies

Anonymity tools reduce the amount of information revealed

while browsing

Encryption tools secure data in transit and storage

Laws and codes of practice provide a base line level for acceptable policies

17

How P3P worksHow P3P worksP3P provides a standard XML

format that web sites use to encode their privacy policies

Sites also provide “policy reference files” to indicate which policy applies to which part of the site

No special server software required

18

A simple HTTP transactionA simple HTTP transaction

WebServerGET /index.html HTTP/1.1

Host: www.att.com. . . Request web page

HTTP/1.1 200 OKContent-Type: text/html. . . Send web page

19

… … with P3P 1.0 addedwith P3P 1.0 added

WebServer

GET /w3c/p3p.xml HTTP/1.1Host: www.att.comRequest Policy Reference File

Send Policy Reference File

GET /index.html HTTP/1.1Host: www.att.com. . . Request web page

HTTP/1.1 200 OKContent-Type: text/html. . . Send web page

Request P3P Policy

Send P3P Policy

20

Using P3P on your Web siteUsing P3P on your Web site1. Formulate privacy policy

2. Translate privacy policy into P3P format Use a policy generator tool

3. Place P3P policy on web site One policy for entire site or multiple policies for

different parts of the site

4. Associate policy with web resources: Place P3P policy reference file (which identifies location

of relevant policy file) at well-known location on server; Configure server to insert P3P header with link to P3P

policy reference file; or Insert link to P3P policy reference file in HTML content

21

The P3P vocabularyThe P3P vocabulary Who is collecting

data?

What data is collected?

For what purpose will data be used?

Is there an ability to opt-in or opt-out of some data uses?

Who are the data recipients (anyone beyond the data collector)?

To what information does the data collector provide access?

What is the data retention policy?

How will disputes about the policy be resolved?

Where is the human-readable privacy policy?

22

TransparencyTransparency P3P clients can

check a privacy policy each time it changes

P3P clients can check privacy policies on all objects in a web page, including ads and invisible images

http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE

http://www.att.com/accessatt/

23

User preferencesUser preferencesP3P spec does not specify how

users should configure their preferences or what user agent should doSome guidelines are offered in Guiding

Principles

A separate W3C specification – A P3P Preference Exchange Language (APPEL) provides a standard format for encoding preferencesNot required for P3P user agent

implementations

24

Types of P3P user agent Types of P3P user agent toolstools

On-demand or continuous Some tools only check for P3P policies when the user

requests, others check automatically at every site

Generic or customized Some tools simply describe a site’s policy in some user

friendly format – others are customizable and can compare the policy with a user’s preferences

Information-only or automatic action Some tools simply inform users about site policies, while

others may actively block cookies, referrers, etc. or take other actions at sites that don’t match user’s preferences

Built-in, add-on, or service Some tools may be built into web browsers or other

software, others are designed as plug-ins or other add-ons, and others may be provided as part of an ISP or other service

25

Other types of P3P toolsOther types of P3P tools P3P validators

Check a site’s P3P policy for valid syntax

Policy generatorsGenerate P3P policies and policy reference files

for web sites

Web site management toolsAssist sites in deploying P3P across the site,

making sure forms are consistent with P3P policy, etc.

Search and comparison toolsCompare privacy policies across multiple web

sites – perhaps built into search engines

26

P3P in IE6P3P in IE6

Privacy icon on status bar

Initial focus is on P3P policies for cookies

27

AT&T WorldNet Privacy ToolAT&T WorldNet Privacy ToolTesting in WorldNet Beta club

later this month

Future FREE public release

http://privacy.research.att.com/

28

Chirping bird is privacy Chirping bird is privacy indicatorindicator

29

Click on the bird for more Click on the bird for more infoinfo

30

Privacy policy summary - Privacy policy summary - mismatchmismatch

31

What is unique about this?What is unique about this? Automatic processing done for all web page

components, not just cookies

Optional pop-up alerts before submitting forms at sites that don’t match user preferences

Automatic processing reads full P3P policy, not just compact policies

Privacy icon/button displayed at all sites, not just “unsatisfactory” sites

Privacy icon/button doesn’t disappear at sites with pop-ups, no browser toolbar, etc.

Many customization choices for users

P3P language simplified for easier understanding

So why has it taken so So why has it taken so long?long?

33

In the beginning… In the beginning… There was the Platform for

Internet Content Selection (PICS)A system for creating rating systems and

labeling web sitesDeveloped by the World Wide Web

Consortium (W3C)Designed primarily so parents could

filter content they found inappropriate for their children

Flexible enough to support almost any kind of rating system

34

How about PICS for privacy?How about PICS for privacy?In 1996 the US Congress and

Federal Trade Commission became aware of online privacy concerns

Industry groups began to discuss a strategy for preventing onerous legislation

Those involved with the PICS project suggested that it be used to help people maintain control of their personal info

35

But why stop there?But why stop there?Don’t just label, negotiate!

And digitally sign agreements

And automatically enforce the agreements

And make it more convenient to store and transfer personal info

And much much more . . .

. . . And so we began work on P3P

36

37

38

P3P1.0P3P1.0

39

Developing the P3P Developing the P3P vocabularyvocabulary

Examples of difficultiesFinding the right degree of granularityGetting agreement between privacy

advocates and industry lawyersGetting agreement between North

Americans and Europeans (and Asians, Australians, etc.)

What is personally identifiable information? Is IP address personally identifiable?

… and many more….

40

Defining a Reasonable Defining a Reasonable GrammarGrammar

There are many pieces of privacy-related information that could be included, how do we know if grammar is expressive enough?Could the Web site use the grammar

(and vocabulary) to clearly express that its practices meet legal requirements?

Does the grammar provide the ability to express enough information such that a third party could issue recommended settings that are meaningful to users?

41

Rating Systems and Rating Systems and VocabulariesVocabularies

Math Science English Spelling History French Spanish Gym ArtMusicDrama

ABB+D-CA-FA+B-CB

42

Descriptive Versus Descriptive Versus SubjectiveSubjective

Manyvariables

Fewvariables

Subjective Descriptive

simple

complex

L. Cranor and J. Reagle. Designing a Social Protocol: Lessons Learned from the Platform for Privacy Preferences. In Jeffrey K. MacKie-Mason and David Waterman, eds., Telephony, the Internet, and the Media. Mahwah: Lawrence Erlbaum Associates, 1998. [Paper presented at the Telecommunications Policy Research Conference, Alexandria, VA, September 27-29 1997. ]

43

Can’t derive descriptive from Can’t derive descriptive from subjectivesubjective

Characters not well developedGratuitous sex and violence

?Bad acting?Boring plot?Bad script?Dull characters?Unbelievable premise?Unoriginal?Too much violence?Not enough violence?

44

Recommended SettingsRecommended SettingsOverlay a simpler subjective

vocabulary on top of a more complicated descriptive one

Users can plug-in recommended settings as canned configuration files

GoodMouseclickingsGreat Privacy

NearlyAnonymous

Surfing

BasicPrivacy

45

Health or medical information

Financial or purchase information

Personally identifiable information

Non-personally identifiable information

Import and export settings

AT&T preference settingsAT&T preference settings

46

The Myth of Internet TimeThe Myth of Internet TimeInternet time is fast, but

most people don’t operate on Internet timeCorollary: Most standards bodies

don’t operate on Internet timeCorollary: Most companies don’t

operate on Internet timeCorollary: Most governments

don’t operate on Internet time

Don’t expect anything to really happen in Internet time

47

Don’t rely on future Don’t rely on future inventionsinventions

Standards and technologies that are said to be just around the corner are often miles away

And Internet time doesn’t change that

48

But time is a funny thing…But time is a funny thing…Overall, this specification took a

really long time (~5 years)

But the individual decisions that had to be made to create this specification were each made pretty quickly (~2 weeks)

In order to participate effectively in this process, people had to pay close attention and be prepared to review proposals in <2 weeks

49

Other problemsOther problemsThe evolving W3C process

Ever changing working group membership and W3C staff representatives

Patent problems

Getting the attention of browser implementers

Making the specification work efficiently within existing infrastructure

50

If you build it, will they If you build it, will they come?come?

Some lessons learned… A good design is not sufficientThink about deployment scenarios and

adoption strategies from the beginningGet buy-in from those with the resources

and/or power to make things happenDon’t design a kitchen when all people

are willing to build right now is a toaster

51

For more informationFor more informationVisit the P3P web site:http://www.w3.org/P3P/

Coming soon:http://www.p3ptoolbox.org/

AT&T WorldNet Privacy tool:

http://privacy.research.att.com/