Web Privacy with P3P Lorrie Faith Cranor P3P Specification Working Group Chair AT&T Labs-Research...

Web Privacy with Web Privacy with P3PP3P

Lorrie Faith CranorP3P Specification Working Group

ChairAT&T Labs-Research

July 2002

http://lorrie.cranor.org/

Lorrie Faith Cranor • http://lorrie.cranor.org/

Part I: The online privacy Part I: The online privacy landscapelandscape

2

Lorrie Faith Cranor • http://lorrie.cranor.org/ 3

Part I: The online privacy Part I: The online privacy landscapelandscape

Web privacy concernsSurveys

How do they get my Data?Browser chatterCookies 101Online and offline

mergingSubpoenasSpywareMonitoring devices

SolutionsPrivacy policiesVoluntary guidelinesSeal programsChief privacy

officersLaws and

RegulationsSoftware tools

Software tools

Outline


Web privacy concernsWeb privacy concerns Data is often collected silently

Web allows large quantities of data to be collected inexpensively and unobtrusively

Data from multiple sources may be mergedNon-identifiable information can become

identifiable when merged

Data collected for business purposes may be used in civil and criminal proceedings

Users given no meaningful choiceFew sites offer alternatives

The Online Privacy Landscape: Privacy concerns


Privacy surveys find Privacy surveys find concernsconcerns

Increasingly people say they are concerned about online privacy (80-90% of US Net users)

Improved privacy protection is factor most likely to persuade non-Net users to go online

27% of US Net users have abandoned online shopping carts due to privacy concerns

64% of US Net users decided not to use a web site or make an online purchase due to privacy concerns

34% of US Net users who do not buy online would buy online if they didn’t have privacy concerns



Beyond concernBeyond concern April 1999 Study: Beyond Concern:

Understanding Net Users' Attitudes About Online Privacy by Cranor, Ackerman and Reagle (US panel results reported)

http://www.research.att.com/projects/privacystudy/Internet users more likely to provide info when they

are not identifiedSome types of data more sensitive than othersMany factors important in decisions about

information disclosureAcceptance of persistent identifiers varies according

to purposeInternet users dislike automatic data transfer



Few read privacy policiesFew read privacy policies 3% review online privacy policies

carefully most of the timeMost likely to review policy before providing credit

card infoPolicies too time consuming to read and difficult to

understand

70% would prefer standard privacy policy format

Most interested in knowing about data sharing and how to get off marketing lists

People are more comfortable at sites that have privacy policies, even if they don’t read them



Survey referencesSurvey references Mark S. Ackerman, Lorrie Faith Cranor and Joseph Reagle, Beyond Concern: Understanding

Net Users’ Attitudes About Online Privacy, (AT&T Labs, April 1999), http://www.research.att.com/projects/privacystudy/

Mary J. Culnan and George R. Milne, The Culnan-Milne Survey on Consumers & Online Privacy Notices: Summary of Responses, (December 2001), http://www.ftc.gov/bcp/workshops/glb/supporting/culnan-milne.pdf.

Cyber Dialogue, Cyber Dialogue Survey Data Reveals Lost Revenue for Retailers Due to Widespread Consumer Privacy Concerns, (Cyber Dialogue, November 7, 2001), http://www.cyberdialogue.com/news/releases/2001/11-07-uco-retail.html.

Forrester Research, Privacy Issues Inhibit Online Spending, (Forrester, October 3, 2001).

Louis Harris & Associates and Alan F. Westin, Commerce, Communication and Privacy Online (Louis Harris & Associates, 1997), http://www.privacyexchange.org/iss/surveys/computersurvey97.html

Louis Harris & Associates and Alan F. Westin. E-Commerce and Privacy, What Net Users Want, (Sponsored by Price Waterhouse and Privacy & American Business. P & AB, June 1998). http://www.privacyexchange.org/iss/surveys/ecommsum.html

Opinion Research Corporation and Alan F. Westin. “Freebies” and Privacy: What Net Users Think. Sponsored by Privacy & American Business. P & AB, July 1999. http://www.privacyexchange.org/iss/surveys/sr990714.html

Privacy Leadership Initiative, Privacy Notices Research Final Results, (Conducted by Harris Interactive, December 2001), http://www.ftc.gov/bcp/workshops/glb/supporting/harris%20results.pdf

An extensive list of privacy surveys from around the world is available from http://www.privacyexchange.org/iss/surveys/surveys.html.



Browser ChatterBrowser Chatter

Browsers chatter aboutIP address, domain

name, organization, Referring pagePlatform: O/S,

browser What information is

requested• URLs and search

terms

Cookies

To anyone who might be listeningEnd serversSystem

administratorsInternet Service

ProvidersOther third parties

• Advertising networks

Anyone who might subpoena log files later

The Online Privacy Landscape: How do they get my data?


Typical HTTP request with Typical HTTP request with cookiecookie

GET /retail/searchresults.asp?qu=beer HTTP/1.0Referer: http://www.us.buy.com/default.aspUser-Agent: Mozilla/4.75 [en] (X11; U; NetBSD

1.5_ALPHA i386)Host: www.us.buy.comAccept: image/gif, image/jpeg, image/pjpeg, */*Accept-Language: enCookie: buycountry=us; dcLocName=Basket;

dcCatID=6773; dcLocID=6773; dcAd=buybasket; loc=; parentLocName=Basket; parentLoc=6773; ShopperManager%2F=ShopperManager%2F=66FUQULL0QBT8MMTVSC5MMNKBJFWDVH7; Store=107; Category=0



Referer log problemsReferer log problemsGET methods result in values in

URL

These URLs are sent in the referer header to next host

Example:

http://www.merchant.com/cgi_bin/order?name=Tom+Jones&address=here+there&credit+card=234876923234&PIN=1234&->index.html



Cookies 101Cookies 101Cookies can be useful

Used like a staple to attach multiple parts of a form together

Used to identify you when you return to a web site so you don’t have to remember a password

Used to help web sites understand how people use them

Cookies can do unexpected thingsUsed to profile users and track their

activities, especially across web sites



How cookies work – the How cookies work – the basicsbasics

A cookie stores a small string of characters

A web site asks your browser to “set” a cookie

Whenever you return to that site your browser sends the cookie back automatically

browsersite

Please store cookie xyzzy

First visit to site

browsersite

Here is cookie xyzzy

Later visits



How cookies work – How cookies work – advanced advanced

Cookies are only sent back to the “site” that set them – but this may be any host in domain Sites setting cookies

indicate path, domain, and expiration for cookies

Cookies can store user info or a database key that is used to look up user info – either way the cookie enables info to be linked to the current browsing session

DatabaseUsers …Email …Visits …

Send me with any request to x.com

until 2008

Send me with requests for

index.html on y.x.com for this session

only

[email protected]

Visits=13 User=4576904309



Cookie terminologyCookie terminology Cookie Replay – sending a cookie back to a

site

Session cookie – cookie replayed only during current browsing session

Persistent cookie – cookie replayed until expiration date

First-party cookie – cookie associated with the site the user requested

Third-party cookie – cookie associated with an image, ad, frame, or other content from a site with a different domain name that is embedded in the site the user requested Browser interprets third-party cookie based on domain

name, even if both domains are owned by the same company



Web bugsWeb bugs Invisible “images” (1-by-1 pixels, transparent)

embedded in web pages and cause referer info and cookies to be transferred

Also called web beacons, clear gifs, tracker gifs,etc.

Work just like banner ads from ad networks, but you can’t see them unless you look at the code behind a web page

Also embedded in HTML formatted email messages, MS Word documents, etc.

For more info on web bugs see: http://www.privacyfoundation.org/resources/webbug.asp

For software to detect web bugs see: http://www.bugnosis.org



How data can be linkedHow data can be linked Every time the same cookie is

replayed to a site, the site may add information to the record associated with that cookieNumber of times you visit a link, time, dateWhat page you visitWhat page you visited lastInformation you type into a web form

If multiple cookies are replayed together, they are usually logged together, effectively linking their dataNarrow scoped cookie might get logged with

broad scoped cookie



Ad networksAd networks

Ad companycan get yourname and

address fromCD order andlink them to your search

Ad Ad

search for medical information

set cookie

buy CD

replay cookie

Search Service CD Store



What ad networks may What ad networks may know…know…

Personal data: Email address Full name Mailing address

(street, city, state, and Zip code)

Phone number

Transactional data: Details of plane

trips Search phrases

used at search engines

Health conditions


“It was not necessary for me to click on the banner ads for information to be sent to DoubleClick servers.”

– Richard M. Smith


Online and offline mergingOnline and offline merging In November 1999, DoubleClick

purchased Abacus Direct, a company possessing detailed consumer profiles on more than 90% of US households.

In mid-February 2000 DoubleClick announced plans to merge “anonymous” online data with personal information obtained from offline databases

By the first week in March 2000 the plans were put on holdStock dropped from $125 (12/99) to $80 (03/00)



Offline data goes online…Offline data goes online…The Online Privacy Landscape: How do they get my data?

The Cranor family’s 25 most frequentgrocerypurchases (sorted by nutritional value)!


SubpoenasSubpoenasData on online activities is

increasingly of interest in civil and criminal cases

The only way to avoid subpoenas is to not have data

In the US, your files on your computer in your home have much greater legal protection that your files stored on a server on the network



SpywareSpyware Spyware: Software that employs a user's

Internet connection, without their knowledge or explicit permission, to collect information Most products use pseudonymous, but unique ID

Over 800 known freeware and shareware products contain Spyware, for example: Beeline Search Utility GoZilla Download Manager Comet Cursor

Often difficult to uninstall!

Anti-Spyware Sites: http://grc.com/oo/spyware.htm http://www.adcop.org/smallfish http://www.spychecker.com http://cexx.org/adware.htm



Devices that monitor youDevices that monitor you

Creative Labs Nomad JukeBoxMusic transfer software reportsall uploads to Creative Labs.

http://www.nomadworld.com

SportbrainMonitors daily workout. Customphone cradle uploads data to company Web site for analysis.

http://www.sportbrain.com/

Sony eMarkerLets you figure out the artitst and title of songs you hear on the radio. And keeps a personal log of all the music you like on the emarker Web site.

http://www.emarker.com

:CueCatKeeps personal log of advertisements

you‘re interested in.

http://www.crq.com/cuecat.html

See http://www.privacyfoundation.org/



Some solutionsSome solutionsPrivacy policies

Voluntary guidelines and codes of conduct

Seal programs

Chief privacy officers

Laws and regulations

Software tools

The Online Privacy Landscape: Solutions


Privacy policiesPrivacy policiesPolicies let consumers know

about site’s privacy practices

Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with

The presence or privacy policies increases consumer trust



Privacy policy problemsPrivacy policy problemsBUT policies are often

difficult to understand hard to findtake a long time to readchange without notice



Voluntary guidelinesVoluntary guidelinesOnline Privacy Alliancehttp://www.privacyalliance.org

Direct Marketing Association Privacy Promise http://www.thedma.org/library/privacy/privacypromise.shtml

Network Advertising Initiative Principles http://www.networkadvertising.org/



OECD fair information OECD fair information principlesprinciples

http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM

Collection limitation

Data quality

Purpose specification

Use limitation

Security safeguards

Openness

Individual participation

Accountability



Simplified principlesSimplified principles Notice and disclosure

Choice and consent

Data security

Data quality and access

Recourse and remedies

US Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), http://www.ftc.gov/reports/privacy3/



Seal programsSeal programs TRUSTe – http://www.truste.org

BBBOnline – http://www.bbbonline.org

CPA WebTrust – http://www.cpawebtrust.org/

Japanese Privacy Mark http://www.jipdec.or.jp/security/privacy/



Seal program problemsSeal program problems Certify only compliance with stated

policyLimited ability to detect non-compliance

Minimal privacy requirements

Don’t address privacy issues that go beyond the web site

Nonetheless, reporting requirements are forcing licensees to review their own policies and practices and think carefully before introducing policy changes



Chief privacy officersChief privacy officers Companies are increasingly

appointing CPOs to have a central point of contact for privacy concerns

Role of CPO varies in each companyDraft privacy policyRespond to customer concernsEducate employees about company privacy

policyReview new products and services for

compliance with privacy policyDevelop new initiatives to keep company out

front on privacy issueMonitor pending privacy legislation



Laws and regulationsLaws and regulations Privacy laws and regulations vary widely

throughout the world

US has mostly sector-specific laws, with relatively minimal protections Federal Trade Commission has jurisdiction over fraud and

deceptive practices Federal Communications Commission regulates

telecommunications

European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws Privacy commissions in each country (some countries

have national and state commissions) Many European companies non-compliant with privacy

laws (2002 study found majority of UK web sites non-compliant)



Some US privacy lawsSome US privacy laws Bank Secrecy Act, 1970

Fair Credit Reporting Act, 1971

Privacy Act, 1974

Right to Financial Privacy Act, 1978

Cable TV Privacy Act, 1984

Video Privacy Protection Act, 1988

Family Educational Right to Privacy Act, 1993

Electronic Communications Privacy Act, 1994

Freedom of Information Act, 1966, 1991, 1996



US law – recent additionsUS law – recent additions HIPAA (Health Insurance Portability

and Accountability Act, 1996)When implemented, will protect medical

records and other individually identifiable health information

COPPA (Children‘s Online Privacy Protection Act, 1998)Web sites that target children must obtain

parental consent before collecting personal information from children under the age of 13

GLB (Gramm-Leach-Bliley-Act, 1999)Requires privacy policy disclosure and opt-out

mechanisms from financial service institutions



Safe harborSafe harbor Membership

US companies self-certify adherance to requirements

Dept. of Commerce maintains signatory list http://www.export.gov/safeharbor/

Signatories must provide• notice of data collected, purposes, and recipients• choice of opt-out of 3rd-party transfers, opt-in for

sensitive data• access rights to delete or edit inaccurate information• security for storage of collected data• enforcement mechanisms for individual complaints

Approved July 26, 2000 by EUreserves right to renegotiate if remedies for EU

citizens prove to be inadequate



Implications of Directive for Implications of Directive for web sitesweb sites

European Union Data Directive prohibits secondary uses of data without informed consentCreating personally-identifiable online

profiles will have to be opt-in in most cases

Upfront notice must be given when data is collected – no web bugs

No transfer of data to non-EU countries unless there is adequate privacy protection



Data Data protectionprotection agenciesagencies Australia: http://www.privacy.gov.au/

Canada: http://www.privcom.gc.ca/

France: http://www.cnil.fr/

Germany: http://www.bfd.bund.de/

Hong Kong: http://www.pco.org.hk/

Italy: http://www.privacy.it/

Spain: http://www.ag-protecciondatos.es/

Switzerland: http://www.edsb.ch/

UK: http://www.dataprotection.gov.uk/

… And many more



Software toolsSoftware tools Encryption tools –

prevent others from listening in on your communications File encryption Email encryption Encrypted network

connections

Anonymity and pseudonymity tools – prevent your actions from being linked to you Anonymizing proxies Mix Networks and similar

web anonymity tools Anonymous email

Information and transparency tools – make informed choices about how your information will be used Identity management

tools P3P

Filters Cookie cutters Child protection software

Other tools Computer “cleaners” Privacy suites Personal firewalls



The AnonymizerThe Anonymizer

Acts as a proxy for users

Hides information from end servers

Sees all web traffic

Adds ads to pages (free service; subscription service also available)

http://www.anonymizer.com

Anonymizer

Request Request

ReplyReply

Client Server



B, kAC kB

Mixes [Chaum81]Mixes [Chaum81]

Sender routes message randomly through network of “Mixes”, using layered public-key encryption.

Mix A

dest,msg kC

C kBdest,msg kC

dest,msg kC

Sender Destination

msgMix C

kX = encrypted with public key of Mix X

Mix B



CrowdsCrowds Users join a Crowd of other users

Web requests from the crowd cannot be linked to any individual

Protection fromend serversother crowd memberssystem administratorseavesdroppers

First system to hide data shadow on the web without trusting a central authority

http://www.research.att.com/projects/crowds/



Anonymous Anonymous eemailmailAnonymous remailers allow

people to send email anonymously

Similar to anonymous web proxies

Some can be chained and work like mixes

http://anon.efga.org/~rlist



FiltersFilters Cookie Cutters

Block cookies, allow for more fine-grained cookie control, etc.

Some also filter ads, referer header, and browser chatter

http://www.junkbusters.com/ht/en/links.html#measures

Child Protection SoftwareBlock the transmission of certain information

via email, chat rooms, or web forms when child is using computer

Limit who a child can email or chat withhttp://www.getnetwise.org/



Regulatoryand

self-regulatoryframework

Regulatoryand

self-regulatoryframework

ServiceUser

The Internet

Secure channel

P3P user agent

Cookie cutter

Anonymizing agent

Privacy toolsPrivacy toolsThe Online Privacy Landscape: Solutions


Privacy Privacy webweb sitessites http://www.aclu.org/

http://www.cdt.org/

http://www.cpsr.org/

http://www.consumerprivacyguide.org/

http://www.eff.org/

http://www.epic.org/

http://www.healthprivacy.org/

http://www.junkbusters.com/

http://www.privacyalliance.org/

http://www.pandab.org/

http://www.privacyexchange.org/

http://www.vortex.com/privacy.html

http://www.privacyfoundation.org/

http://www.privacy.org/pi/

http://www.privacyjournal.net/

http://www.understandingprivacy.org/

http://www.privacy.org/

http://www.privacyplace.com/

http://www.privacyrights.org/

http://www.privacytimes.com/

http://www.anu.edu.au/people/Roger.Clarke/DV/index.html

http://headlines.yahoo.com/Full_Coverage/Tech/Internet_Privacy/

The Online Privacy Landscape


BooksBooks Web Privacy with P3P

by Lorrie Faith Cranor

Database Nation by Simson Garfinkel

The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments by Marc Rotenberg

The Online Privacy Landscape

Web Privacy with P3P Lorrie Faith Cranor P3P Specification Working Group Chair AT&T Labs-Research...

Documents

Transcript of Web Privacy with P3P Lorrie Faith Cranor P3P Specification Working Group Chair AT&T Labs-Research...