web privacy with p3p lorrie faith cranor p3p specification working group chair at&t...
TRANSCRIPT
Web Privacy with Web Privacy with P3PP3P
Lorrie Faith CranorP3P Specification Working Group
ChairAT&T Labs-Research
July 2002
http://lorrie.cranor.org/
Lorrie Faith Cranor • http://lorrie.cranor.org/
Part I: The online privacy Part I: The online privacy landscapelandscape
2
Lorrie Faith Cranor • http://lorrie.cranor.org/ 3
Part I: The online privacy Part I: The online privacy landscapelandscape
Web privacy concernsSurveys
How do they get my Data?Browser chatterCookies 101Online and offline
mergingSubpoenasSpywareMonitoring devices
SolutionsPrivacy policiesVoluntary guidelinesSeal programsChief privacy
officersLaws and
RegulationsSoftware tools
Software tools
Outline
Lorrie Faith Cranor • http://lorrie.cranor.org/ 4
Web privacy concernsWeb privacy concerns Data is often collected silently
Web allows large quantities of data to be collected inexpensively and unobtrusively
Data from multiple sources may be mergedNon-identifiable information can become
identifiable when merged
Data collected for business purposes may be used in civil and criminal proceedings
Users given no meaningful choiceFew sites offer alternatives
The Online Privacy Landscape: Privacy concerns
Lorrie Faith Cranor • http://lorrie.cranor.org/ 5
Privacy surveys find Privacy surveys find concernsconcerns
Increasingly people say they are concerned about online privacy (80-90% of US Net users)
Improved privacy protection is factor most likely to persuade non-Net users to go online
27% of US Net users have abandoned online shopping carts due to privacy concerns
64% of US Net users decided not to use a web site or make an online purchase due to privacy concerns
34% of US Net users who do not buy online would buy online if they didn’t have privacy concerns
The Online Privacy Landscape: Privacy concerns
Lorrie Faith Cranor • http://lorrie.cranor.org/ 6
Beyond concernBeyond concern April 1999 Study: Beyond Concern:
Understanding Net Users' Attitudes About Online Privacy by Cranor, Ackerman and Reagle (US panel results reported)
http://www.research.att.com/projects/privacystudy/Internet users more likely to provide info when they
are not identifiedSome types of data more sensitive than othersMany factors important in decisions about
information disclosureAcceptance of persistent identifiers varies according
to purposeInternet users dislike automatic data transfer
The Online Privacy Landscape: Privacy concerns
Lorrie Faith Cranor • http://lorrie.cranor.org/ 7
Few read privacy policiesFew read privacy policies 3% review online privacy policies
carefully most of the timeMost likely to review policy before providing credit
card infoPolicies too time consuming to read and difficult to
understand
70% would prefer standard privacy policy format
Most interested in knowing about data sharing and how to get off marketing lists
People are more comfortable at sites that have privacy policies, even if they don’t read them
The Online Privacy Landscape: Privacy concerns
Lorrie Faith Cranor • http://lorrie.cranor.org/ 8
Survey referencesSurvey references Mark S. Ackerman, Lorrie Faith Cranor and Joseph Reagle, Beyond Concern: Understanding
Net Users’ Attitudes About Online Privacy, (AT&T Labs, April 1999), http://www.research.att.com/projects/privacystudy/
Mary J. Culnan and George R. Milne, The Culnan-Milne Survey on Consumers & Online Privacy Notices: Summary of Responses, (December 2001), http://www.ftc.gov/bcp/workshops/glb/supporting/culnan-milne.pdf.
Cyber Dialogue, Cyber Dialogue Survey Data Reveals Lost Revenue for Retailers Due to Widespread Consumer Privacy Concerns, (Cyber Dialogue, November 7, 2001), http://www.cyberdialogue.com/news/releases/2001/11-07-uco-retail.html.
Forrester Research, Privacy Issues Inhibit Online Spending, (Forrester, October 3, 2001).
Louis Harris & Associates and Alan F. Westin, Commerce, Communication and Privacy Online (Louis Harris & Associates, 1997), http://www.privacyexchange.org/iss/surveys/computersurvey97.html
Louis Harris & Associates and Alan F. Westin. E-Commerce and Privacy, What Net Users Want, (Sponsored by Price Waterhouse and Privacy & American Business. P & AB, June 1998). http://www.privacyexchange.org/iss/surveys/ecommsum.html
Opinion Research Corporation and Alan F. Westin. “Freebies” and Privacy: What Net Users Think. Sponsored by Privacy & American Business. P & AB, July 1999. http://www.privacyexchange.org/iss/surveys/sr990714.html
Privacy Leadership Initiative, Privacy Notices Research Final Results, (Conducted by Harris Interactive, December 2001), http://www.ftc.gov/bcp/workshops/glb/supporting/harris%20results.pdf
An extensive list of privacy surveys from around the world is available from http://www.privacyexchange.org/iss/surveys/surveys.html.
The Online Privacy Landscape: Privacy concerns
Lorrie Faith Cranor • http://lorrie.cranor.org/ 9
Browser ChatterBrowser Chatter
Browsers chatter aboutIP address, domain
name, organization, Referring pagePlatform: O/S,
browser What information is
requested• URLs and search
terms
Cookies
To anyone who might be listeningEnd serversSystem
administratorsInternet Service
ProvidersOther third parties
• Advertising networks
Anyone who might subpoena log files later
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 10
Typical HTTP request with Typical HTTP request with cookiecookie
GET /retail/searchresults.asp?qu=beer HTTP/1.0Referer: http://www.us.buy.com/default.aspUser-Agent: Mozilla/4.75 [en] (X11; U; NetBSD
1.5_ALPHA i386)Host: www.us.buy.comAccept: image/gif, image/jpeg, image/pjpeg, */*Accept-Language: enCookie: buycountry=us; dcLocName=Basket;
dcCatID=6773; dcLocID=6773; dcAd=buybasket; loc=; parentLocName=Basket; parentLoc=6773; ShopperManager%2F=ShopperManager%2F=66FUQULL0QBT8MMTVSC5MMNKBJFWDVH7; Store=107; Category=0
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 11
Referer log problemsReferer log problemsGET methods result in values in
URL
These URLs are sent in the referer header to next host
Example:
http://www.merchant.com/cgi_bin/order?name=Tom+Jones&address=here+there&credit+card=234876923234&PIN=1234&->index.html
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 12
Cookies 101Cookies 101Cookies can be useful
Used like a staple to attach multiple parts of a form together
Used to identify you when you return to a web site so you don’t have to remember a password
Used to help web sites understand how people use them
Cookies can do unexpected thingsUsed to profile users and track their
activities, especially across web sites
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 13
How cookies work – the How cookies work – the basicsbasics
A cookie stores a small string of characters
A web site asks your browser to “set” a cookie
Whenever you return to that site your browser sends the cookie back automatically
browsersite
Please store cookie xyzzy
First visit to site
browsersite
Here is cookie xyzzy
Later visits
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 14
How cookies work – How cookies work – advanced advanced
Cookies are only sent back to the “site” that set them – but this may be any host in domain Sites setting cookies
indicate path, domain, and expiration for cookies
Cookies can store user info or a database key that is used to look up user info – either way the cookie enables info to be linked to the current browsing session
DatabaseUsers …Email …Visits …
Send me with any request to x.com
until 2008
Send me with requests for
index.html on y.x.com for this session
only
Visits=13 User=4576904309
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 15
Cookie terminologyCookie terminology Cookie Replay – sending a cookie back to a
site
Session cookie – cookie replayed only during current browsing session
Persistent cookie – cookie replayed until expiration date
First-party cookie – cookie associated with the site the user requested
Third-party cookie – cookie associated with an image, ad, frame, or other content from a site with a different domain name that is embedded in the site the user requested Browser interprets third-party cookie based on domain
name, even if both domains are owned by the same company
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 16
Web bugsWeb bugs Invisible “images” (1-by-1 pixels, transparent)
embedded in web pages and cause referer info and cookies to be transferred
Also called web beacons, clear gifs, tracker gifs,etc.
Work just like banner ads from ad networks, but you can’t see them unless you look at the code behind a web page
Also embedded in HTML formatted email messages, MS Word documents, etc.
For more info on web bugs see: http://www.privacyfoundation.org/resources/webbug.asp
For software to detect web bugs see: http://www.bugnosis.org
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 17
How data can be linkedHow data can be linked Every time the same cookie is
replayed to a site, the site may add information to the record associated with that cookieNumber of times you visit a link, time, dateWhat page you visitWhat page you visited lastInformation you type into a web form
If multiple cookies are replayed together, they are usually logged together, effectively linking their dataNarrow scoped cookie might get logged with
broad scoped cookie
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 18
Ad networksAd networks
Ad companycan get yourname and
address fromCD order andlink them to your search
Ad Ad
search for medical information
set cookie
buy CD
replay cookie
Search Service CD Store
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 19
What ad networks may What ad networks may know…know…
Personal data: Email address Full name Mailing address
(street, city, state, and Zip code)
Phone number
Transactional data: Details of plane
trips Search phrases
used at search engines
Health conditions
The Online Privacy Landscape: How do they get my data?
“It was not necessary for me to click on the banner ads for information to be sent to DoubleClick servers.”
– Richard M. Smith
Lorrie Faith Cranor • http://lorrie.cranor.org/ 20
Online and offline mergingOnline and offline merging In November 1999, DoubleClick
purchased Abacus Direct, a company possessing detailed consumer profiles on more than 90% of US households.
In mid-February 2000 DoubleClick announced plans to merge “anonymous” online data with personal information obtained from offline databases
By the first week in March 2000 the plans were put on holdStock dropped from $125 (12/99) to $80 (03/00)
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 21
Offline data goes online…Offline data goes online…The Online Privacy Landscape: How do they get my data?
The Cranor family’s 25 most frequentgrocerypurchases (sorted by nutritional value)!
Lorrie Faith Cranor • http://lorrie.cranor.org/ 22
SubpoenasSubpoenasData on online activities is
increasingly of interest in civil and criminal cases
The only way to avoid subpoenas is to not have data
In the US, your files on your computer in your home have much greater legal protection that your files stored on a server on the network
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 23
SpywareSpyware Spyware: Software that employs a user's
Internet connection, without their knowledge or explicit permission, to collect information Most products use pseudonymous, but unique ID
Over 800 known freeware and shareware products contain Spyware, for example: Beeline Search Utility GoZilla Download Manager Comet Cursor
Often difficult to uninstall!
Anti-Spyware Sites: http://grc.com/oo/spyware.htm http://www.adcop.org/smallfish http://www.spychecker.com http://cexx.org/adware.htm
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 24
Devices that monitor youDevices that monitor you
Creative Labs Nomad JukeBoxMusic transfer software reportsall uploads to Creative Labs.
http://www.nomadworld.com
SportbrainMonitors daily workout. Customphone cradle uploads data to company Web site for analysis.
http://www.sportbrain.com/
Sony eMarkerLets you figure out the artitst and title of songs you hear on the radio. And keeps a personal log of all the music you like on the emarker Web site.
http://www.emarker.com
:CueCatKeeps personal log of advertisements
you‘re interested in.
http://www.crq.com/cuecat.html
See http://www.privacyfoundation.org/
The Online Privacy Landscape: How do they get my data?
Lorrie Faith Cranor • http://lorrie.cranor.org/ 25
Some solutionsSome solutionsPrivacy policies
Voluntary guidelines and codes of conduct
Seal programs
Chief privacy officers
Laws and regulations
Software tools
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 26
Privacy policiesPrivacy policiesPolicies let consumers know
about site’s privacy practices
Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with
The presence or privacy policies increases consumer trust
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 27
Privacy policy problemsPrivacy policy problemsBUT policies are often
difficult to understand hard to findtake a long time to readchange without notice
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 28
Voluntary guidelinesVoluntary guidelinesOnline Privacy Alliancehttp://www.privacyalliance.org
Direct Marketing Association Privacy Promise http://www.thedma.org/library/privacy/privacypromise.shtml
Network Advertising Initiative Principles http://www.networkadvertising.org/
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 29
OECD fair information OECD fair information principlesprinciples
http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM
Collection limitation
Data quality
Purpose specification
Use limitation
Security safeguards
Openness
Individual participation
Accountability
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 30
Simplified principlesSimplified principles Notice and disclosure
Choice and consent
Data security
Data quality and access
Recourse and remedies
US Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), http://www.ftc.gov/reports/privacy3/
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 31
Seal programsSeal programs TRUSTe – http://www.truste.org
BBBOnline – http://www.bbbonline.org
CPA WebTrust – http://www.cpawebtrust.org/
Japanese Privacy Mark http://www.jipdec.or.jp/security/privacy/
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 32
Seal program problemsSeal program problems Certify only compliance with stated
policyLimited ability to detect non-compliance
Minimal privacy requirements
Don’t address privacy issues that go beyond the web site
Nonetheless, reporting requirements are forcing licensees to review their own policies and practices and think carefully before introducing policy changes
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 33
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 34
Chief privacy officersChief privacy officers Companies are increasingly
appointing CPOs to have a central point of contact for privacy concerns
Role of CPO varies in each companyDraft privacy policyRespond to customer concernsEducate employees about company privacy
policyReview new products and services for
compliance with privacy policyDevelop new initiatives to keep company out
front on privacy issueMonitor pending privacy legislation
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 35
Laws and regulationsLaws and regulations Privacy laws and regulations vary widely
throughout the world
US has mostly sector-specific laws, with relatively minimal protections Federal Trade Commission has jurisdiction over fraud and
deceptive practices Federal Communications Commission regulates
telecommunications
European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws Privacy commissions in each country (some countries
have national and state commissions) Many European companies non-compliant with privacy
laws (2002 study found majority of UK web sites non-compliant)
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 36
Some US privacy lawsSome US privacy laws Bank Secrecy Act, 1970
Fair Credit Reporting Act, 1971
Privacy Act, 1974
Right to Financial Privacy Act, 1978
Cable TV Privacy Act, 1984
Video Privacy Protection Act, 1988
Family Educational Right to Privacy Act, 1993
Electronic Communications Privacy Act, 1994
Freedom of Information Act, 1966, 1991, 1996
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 37
US law – recent additionsUS law – recent additions HIPAA (Health Insurance Portability
and Accountability Act, 1996)When implemented, will protect medical
records and other individually identifiable health information
COPPA (Children‘s Online Privacy Protection Act, 1998)Web sites that target children must obtain
parental consent before collecting personal information from children under the age of 13
GLB (Gramm-Leach-Bliley-Act, 1999)Requires privacy policy disclosure and opt-out
mechanisms from financial service institutions
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 38
Safe harborSafe harbor Membership
US companies self-certify adherance to requirements
Dept. of Commerce maintains signatory list http://www.export.gov/safeharbor/
Signatories must provide• notice of data collected, purposes, and recipients• choice of opt-out of 3rd-party transfers, opt-in for
sensitive data• access rights to delete or edit inaccurate information• security for storage of collected data• enforcement mechanisms for individual complaints
Approved July 26, 2000 by EUreserves right to renegotiate if remedies for EU
citizens prove to be inadequate
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 39
Implications of Directive for Implications of Directive for web sitesweb sites
European Union Data Directive prohibits secondary uses of data without informed consentCreating personally-identifiable online
profiles will have to be opt-in in most cases
Upfront notice must be given when data is collected – no web bugs
No transfer of data to non-EU countries unless there is adequate privacy protection
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 40
Data Data protectionprotection agenciesagencies Australia: http://www.privacy.gov.au/
Canada: http://www.privcom.gc.ca/
France: http://www.cnil.fr/
Germany: http://www.bfd.bund.de/
Hong Kong: http://www.pco.org.hk/
Italy: http://www.privacy.it/
Spain: http://www.ag-protecciondatos.es/
Switzerland: http://www.edsb.ch/
UK: http://www.dataprotection.gov.uk/
… And many more
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 41
Software toolsSoftware tools Encryption tools –
prevent others from listening in on your communications File encryption Email encryption Encrypted network
connections
Anonymity and pseudonymity tools – prevent your actions from being linked to you Anonymizing proxies Mix Networks and similar
web anonymity tools Anonymous email
Information and transparency tools – make informed choices about how your information will be used Identity management
tools P3P
Filters Cookie cutters Child protection software
Other tools Computer “cleaners” Privacy suites Personal firewalls
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 42
The AnonymizerThe Anonymizer
Acts as a proxy for users
Hides information from end servers
Sees all web traffic
Adds ads to pages (free service; subscription service also available)
http://www.anonymizer.com
Anonymizer
Request Request
ReplyReply
Client Server
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 43
B, kAC kB
Mixes [Chaum81]Mixes [Chaum81]
Sender routes message randomly through network of “Mixes”, using layered public-key encryption.
Mix A
dest,msg kC
C kBdest,msg kC
dest,msg kC
Sender Destination
msgMix C
kX = encrypted with public key of Mix X
Mix B
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 44
CrowdsCrowds Users join a Crowd of other users
Web requests from the crowd cannot be linked to any individual
Protection fromend serversother crowd memberssystem administratorseavesdroppers
First system to hide data shadow on the web without trusting a central authority
http://www.research.att.com/projects/crowds/
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 45
Anonymous Anonymous eemailmailAnonymous remailers allow
people to send email anonymously
Similar to anonymous web proxies
Some can be chained and work like mixes
http://anon.efga.org/~rlist
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 46
FiltersFilters Cookie Cutters
Block cookies, allow for more fine-grained cookie control, etc.
Some also filter ads, referer header, and browser chatter
http://www.junkbusters.com/ht/en/links.html#measures
Child Protection SoftwareBlock the transmission of certain information
via email, chat rooms, or web forms when child is using computer
Limit who a child can email or chat withhttp://www.getnetwise.org/
The Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 47
Regulatoryand
self-regulatoryframework
Regulatoryand
self-regulatoryframework
ServiceUser
The Internet
Secure channel
P3P user agent
Cookie cutter
Anonymizing agent
Privacy toolsPrivacy toolsThe Online Privacy Landscape: Solutions
Lorrie Faith Cranor • http://lorrie.cranor.org/ 48
Privacy Privacy webweb sitessites http://www.aclu.org/
http://www.cdt.org/
http://www.cpsr.org/
http://www.consumerprivacyguide.org/
http://www.eff.org/
http://www.epic.org/
http://www.healthprivacy.org/
http://www.junkbusters.com/
http://www.privacyalliance.org/
http://www.pandab.org/
http://www.privacyexchange.org/
http://www.vortex.com/privacy.html
http://www.privacyfoundation.org/
http://www.privacy.org/pi/
http://www.privacyjournal.net/
http://www.understandingprivacy.org/
http://www.privacy.org/
http://www.privacyplace.com/
http://www.privacyrights.org/
http://www.privacytimes.com/
http://www.anu.edu.au/people/Roger.Clarke/DV/index.html
http://headlines.yahoo.com/Full_Coverage/Tech/Internet_Privacy/
The Online Privacy Landscape
Lorrie Faith Cranor • http://lorrie.cranor.org/ 49
BooksBooks Web Privacy with P3P
by Lorrie Faith Cranor
Database Nation by Simson Garfinkel
The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments by Marc Rotenberg
The Online Privacy Landscape