Upload
juliana-peters
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
3
Outline
What is Privacy? Privacy Concerns
Web Privacy
Privacy Protection Approaches Legislation Industry Self-Regulation Technology
4
What does privacy mean to you?
How would you define privacy? What does it meant to you for something
to be private?
5
Britney Spears: “We just need privacy”
“You have to realize that we're people and that we need, we just need privacy and we need our respect, and those are things that you have to have as a human being.”
— Britney Spears15 June 2006NBC Dateline
http://www.cnn.com/2006/SHOWBIZ/Music/06/15/people.spears.reut/index.html
6
Benefits Financial rewards
Coupons, gift vouchers, discounts, cash…
Personalization
Risks Lose control of your personal information Identity theft
Disclosed Information
Benefits in ReturnInformation Subject
Service Provider
Benefit/Risks Analysis
Information DisclosurePrivacy Tradeoffs
8
Web Privacy: A look at privacy policies at
Google, Microsoft and Yahoo What gets saved when you use the service
Microsoft doesn't record IP address, log-in time, or other user-specific information in its logs
Both Yahoo and Google collect these data, along with your browser and what you clicked on the page.
Google log record example Q = cars url = www.google.com/search?q=cars IP = 72.14.253.xx Cookie = PREF=66FUQULL0QBT8MMTVSC5K: LD=en… User-Agent: Mozilla/4.75 [en] (X11; U; NetBSD 1.5_ALPHA
i386) Time = 25 Mar 2007 10:15:32
9
Web Privacy: A look at privacy policies at
Google, Microsoft and Yahoo Amount of personal information when you sign up
Google - just name and the country you live in Yahoo and Microsoft - name, gender, birthday, and
zip code. Time-to-Delete
Google may take up to 60 days to completely remove that "Vegas was great" e-mail from its servers after you delete it.
Microsoft takes three days or less Yahoo says that, though removing the actual e-mail
content may take a short while, the information becomes dissociated from your account almost as soon as you delete it
http://www.pcworld.com/article/id,137363-page,1-c,onlineprivacy/article.html
11
Privacy Laws Privacy laws and regulations vary widely
throughout the world
US has mostly sector-specific laws, with relatively minimal protections - often referred to as “patchwork quilt” Privacy Laws – Private Sector
Fair Credit Reporting Act (FCRA) Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) The Children’s Online Privacy Protection Act (COPPA) The Drivers Privacy Protection Act (DPPA)
Privacy Laws – Public Sector The Privacy Act of 1974 The Freedom of Information Act (FOIA)
12
Privacy Laws … State Security Breach Notification Laws Laws that compel Disclosure of personal information
The US Patriot Act of 2001 Homeland Security Act of 2002 Intelligence Reform and Terrorism Prevention Act of 2004
(IRTPA): The US Communications Assistance to Law Enforcement Act
(CALEA):
European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws that recognize privacy as fundamental human right
13
Privacy self-regulation
Since 1995, the US FTC has pressured companies to “self regulate” in the privacy area Upcoming FTC town hall on behavioral advertising
http://www.ftc.gov/opa/2007/08/ehavioral.shtm Self regulation may be completely voluntary or
mandatory (or somewhere in between) Self-regulatory programs and initiatives
Industry Guidelines Privacy Seals Privacy Policies
14
Voluntary privacy guidelines
Direct Marketing Association Privacy Promise
Network Advertising Initiative Principles
CTIA Location-based privacy guidelines
Generally Accepted Privacy Principals
15
Privacy policies
Policies let consumers know about site’s privacy practices
Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with
The presence of privacy policies increases consumer trust
What are some problems with privacy policies?
16
Privacy policy problems
BUT policies are often difficult to understand hard to find take a long time to read change without notice?
17
Short Notices
Project organized by Hunton & Williams law firm Short version (short notice) of human-readable policy for web and
paper Also called a “layered notice” - refer to long notice for more detail Now being called “highlights notice” Focus on reducing privacy policy to at most 7 boxes
Alternative proposals from privacy advocates focus on check boxes
Interest Internationally http://www.privacyconference2003.org/resolution.asp
Interest in the US for financial privacy notices http://www.ftc.gov/opa/2003/12/privnoticesjoint.htm
18
Acme CompanyPrivacy NoticeHighlights
For more information about our privacy policy, write to:
Consumer Department Acme Company11 Main StreetAnywhere, NY 10100
Or go to the privacy statement on our website at acme.com.
We collect information directly from you and maintain information on your activity with us, including your visits to our website. We obtain information, such as your credit report and demographic and lifestyle information, from other information providers.P
ER
SO
NA
LIN
FO
RM
AT
ION
We use information about you to manage your account and offer you other products and services we think may interest you. We share information about you with our sister companies to offer you products and services. We share information about you with other companies, like insurance companies, to offer you a wider array of jointly-offered products and services. We share information about you with other companies so they can offer you their products and services.
US
ES
You may opt out of receiving promotional information from us and our sharing your contact information with other companies. To exercise your choices, call (800) 123-1234 or click on “choice” at ACME.com. Y
OU
R C
HO
ICE
S
You may request information on your billing and payment activities.
IMP
OR
TA
NT
INF
OR
MA
TIO
N
HO
W T
O R
EA
CH
US
This statement applies to Acme Company and several members of the Acme family of companies. S
CO
PE
NY142510v15/28/2002
Dated: May 28, 2002
Template prepared by the N
otices Project, a program
of the Center for Inform
ation Policy Leadership at H
unton & W
illiams
© 2002 Center for Inform
ation Policy Leadership
Privacy Notice Highlights Template
19
Checkbox proposalWE SHARE [DO NOT SHARE] PERSONAL INFORMATION WITH OTHER WEBSITES OR COMPANIES.
Collection: YES NOWe collect personal information directly from you We collect information about you from other sources: We use cookies on our website We use web bugs or other invisible collection methods We install monitoring programs on your computer
Uses: We use information about you to: With Your Without YourConsent Consent
Send you advertising mail Send you electronic mail Call you on the telephone
Sharing: We allow others to use your information to: With Your Without YourConsent Consent
Maintain shared databases about you Send you advertising mail Send you electronic mail Call you on the telephone N/A N/A
Access: You can see and correct {ALL, SOME, NONE} of the information we have about you.
Choices: You can opt-out of receiving from Us Affiliates Third PartiesAdvertising mail Electronic mail Telemarketing N/A
Retention: We keep your personal data for: {Six Months Three Years Forever}
Change: We can change our data use policy {AT ANY TIME, WITH NOTICE TO YOU, ONLY FOR DATA COLLECTED IN THE FUTURE}
Source: Robert Gellman, July 3, 2003
22
P3P
What is P3P? www.w3.org/P3P/
From a Web site’s perspective: A protocol designed to provide a way for a Web site
to encode its privacy statement in a machine-readable format.
From a user’s perspective: Use a P3P User Agent
Configure their privacy preferences Get notification of a Web site’s privacy practices
23
Privacy Bird configuration screen
Users can choose to be notified or not, when a site uses financial information for marketing purposes.
29
Privacy Finder
Uses Google or Yahoo! API to retrieve search results
Checks each result for P3P policy Evaluates P3P policy against user’s preferences Reorders search results Composes search result page with privacy
annotations next to each P3P-enabled result Users can retrieve “Privacy Report” similar to
Privacy Bird policy summary
SRA 472
Integration of Privacy &
Security
Conception
Foundation Concepts
Fair Information Practices
Technological Drivers
Privacy-Enhancing & Privacy-Invasive Technologies
The Platform for Privacy Preferences (P3P) & Design for Privacy
Organizational Approaches
Building a Privacy Org. Infrastructure
IT Governance and Risk Control
Profession & Training
Professional Associations
Career Opportunities
Project Presentations
Privacy Laws