Privacy Online
description
Transcript of Privacy Online
1
Privacy Online
Jane Turk, Ph.D.CIS 610
Summer 2003
2
Outline background & perspectives
surveys of current Internet use children’s online privacy consumer online privacy possible solution routes
3
Business Perspective Direct Marketing: > $176 billion a
year over 10,000 compiled & publicly
traded databases on market today private databases, with little or no
regulation except in financial industry ability to capture info about users
on Web target marketing
4
Privacy Perspective protecting privacy of consumer info
is “very” important to consumers consumers don’t know scope of
data maintained on them strong privacy standards
develop trust in users encourage development of online
commerce
5
Major Concerns of Consumers companies they patronize will
provide their information to other companies without their permission (75%)
their transactions may not be secure (70%)
hackers will steal their personal data (69%)
source: Harris survey, Nov 2001
6
Most Important Elements to be Verified security measures are adequate (90%) company does not release customer
personal data without permission (89%) access within the company is limited
(84%) company is only collecting info that its
privacy policies dictate (84%) info use or sharing follows stated privacy
policies (81%)
source: Harris survey, Nov 2001
7
Suggested Remedy verify privacy policy by a third
party (and 91% would do more business) online seal of approval does not
necessarily verify BBBOnLine and Truste
audit by major accounting firm PricewaterhouseCoopers
source: Harris survey, Nov 2001
8
Fair Information Principles consumers be given:
notice of entity’s info practices choice/consent with respect to
secondary use & dissemination of info collected from or about them
access to info about them collector assure security &
integrity of info provide enforcement mechanism
9
Public Records Online NYC voter registration site NJ info on those licensed by state registries of sex offenders federal judges’ recommendation to
put most civil proceedings online but to restrict criminal proceedings
good source: www.epic.org/privacy/publicrecords
10
Children’s Privacy Federal Trade Commission:
children are avid consumers and influence spending
information collection targets are ages 8-11
business goal: microtarget individual child
CME 1996 study exposed the issues
11
FTC “Kids Privacy Surf Day” “snapshot’, not comprehensive survey
126 sites listed by Yahooligans! results announced Dec 1997 86% of sites surveyed were collecting
personally identifiable info on children fewer than 30% of sites had privacy
policy another review March 1998
12
FTC 1998 Report: Children’s Sites of 212 sites directed at children
89% collect personally identifiable info directly from children
54% disclose info collection practices
fewer than 10% provide for some form of parental control
13
Children’s Online Privacy Protection Act (1998) parental consent required for
collection, use, disclosure of personal information from children under 13
parents may prevent further use or collection
parents may review information
14
Privacy Journal Recommendations parent
approve kid’s giving email address totally involved in kid’s giving physical
address order products in parent’s name
kid can use (false) nickname never use name and address to buy
15
Annenberg 2000 Study 29% of parents would give
identifying info in exchange for a free gift worth $100
45% of kids ages 10-17 would 39% of girls, 54% of boys
parents need help
16
Cookies passive files stored on hard drives
of Netscape & Microsoft IE users store a customer ID number for
site/network used by online advertisers to track
a user’s movements profiling, preferences
issue: transparency
17
Why Cookies? HTTP is stateless: keeps no
information from a connection with cookies, a Web page can
“remember” you from your last visit
enable much of interactivity customization, shopping baskets
18
Online Profiling: How and Where cookies, web bugs, URLs, info you
provide anonymous, unless you identify
yourself in customer database of the
site/network pages/sites visited DoubleClick tracks movement on 1500
sites
19
Online Profiling: Pros and Cons deliver desired content to user provide information about interests
of individual aggregate info about site
info collected often without knowledge or consent
20
Spyware conducts surveillance on a
computer usually placed without knowledge
or consent of computer owner violates basic FIPS e.g., “phone home” programs,
Web bugs, home web monitoring
21
Web Bugs clear GIFs, embedded images transmit info when page is viewed:
where, when designed to monitor who is viewing
page e.g., HTML mail
recent SW enables detection
22
The Net NEVER Forgets Internet Archive scoops up the
Web postings to Usenet groups are
saved in Deja News now http://groups.google.com
posts to email forums and chat services are searchable
public record
23
Costs to Business of Not Protecting Privacy sales lost may be $18 billion older business models may be less
effective than privacy-friendly models lost opportunities and higher costs for
imported personal data “safe harbor” includes complying with
FIPS
source: Robert Gellman, “Privacy, Consumers, and Costs”
24
Costs to Consumers When Privacy Is Not Protected higher prices stopping junk mail and
telemarketing calls avoiding identity theft protecting privacy on the Internetsource: Robert Gellman, “Privacy,
Consumers, and Costs”
25
Solution Routes education, including
fair information principles best business practices
industry self-regulation technology legislation
26
Industry Self-Regulation for privacy depends on posted privacy policies
coming: integrated suites of tools online privacy seal programs
e.g., TRUSTe, BBBOnLine implement some FIPS and monitor
compliance public audit of privacy policies e.g., www.thedailyapple.com
27
FTC Action Against Toysmart privacy policy promised never to
divulge customer information certified by TRUSTe FTC could intervene
bankrupt company advertised “databases and customer lists” for sale
FTC sued to prevent sale of customer info
28
Privacy Enhancing Technologies (PETs) seek to eliminate use of personal data
from transactions or give direct control for disclosure of personal information to individual concerned standard format for ratings systems: Platform for Internet Content Selection
machine-to-machine protocol for data exchange: P3P (Platform for Privacy Preferences)
anonymous use
29
Proposed Online Personal Privacy Act (S. 2201 in 107th) opt-in for sensitive personally
identifiable info opt-out for less sensitive info follows most FIPS preempts state legislation on
online privacy
30
Sources Adkinson, William et al. “Privacy Online: A
report on the information practices and policies of commercial web sites,” March 2002. The Progress and Freedom Foundation.
Center for Democracy and Technology. “Guide to Online Privacy,” http://www.cdt.org/privacy/guide/introduction/
Electronic Privacy Information Center. "Surfer Beware III: Privacy Policies Without Privacy Protection." Dec. 1999 <http://www.epic.org/reports/surfer-beware3.html>
31
Federal Trade Commission. “Privacy Online: Fair Information Practices in the Electronic Marketplace,” May 2000, www.ftc.gov/reports/privacy2000/privacy2000.pdf
Gellman, Robert. “Privacy, Consumers, and Costs: how the lack of privacy costs consumers and why business studies of privacy costs are biased and incomplete,” March 2002. www.epic.org/reports/dmfprivacy.html
32
Goldman, Janlori and Zoe Hudson and Richard M. Smith. “Privacy Report on the Privacy Policies and practices of Health Web Sites”. Sponsored by California HealthCare Foundation, January 2000, http://admin.chcf.org/documents/ehealth/privacywebreport.pdf
Pew Internet and American Life Project. “Trust and Privacy Online: Why Americans Want to Rewrite the Rules,” Aug 2000, www.pewinternet.org/reports/pdfs/PIP_Trust_Privacy_Report.pdf