Presentation is loading. Please wait.

Presentation is loading. Please wait.

The ‘PAIPPSI’ Research Project « Pour une Analyse Interdisciplinaire des ‘Privacy Policies’ sur les Sites Internet » ‘An interdisciplinary analysis of.

Similar presentations

Presentation on theme: "The ‘PAIPPSI’ Research Project « Pour une Analyse Interdisciplinaire des ‘Privacy Policies’ sur les Sites Internet » ‘An interdisciplinary analysis of."— Presentation transcript:

1 The ‘PAIPPSI’ Research Project « Pour une Analyse Interdisciplinaire des ‘Privacy Policies’ sur les Sites Internet » ‘An interdisciplinary analysis of 'Privacy Policies' on Websites’ F. Le Guel RITM Université Paris Sud Colloque ISN La protection des données personnelles : approche pluridisciplinaire Jeudi 18 décembre 2014 Les Colombages, 12 rue Arthur Rozier, 75019 Paris

2 PAIPPSI : an exploratory project PAIPPSI is a ‘PEPS’ project : ‘Projet Exploratoire Premier Soutien’ Funding : CNRS-Idex Paris-Saclay December 2014/December 2015 An exploratory project aims to promote original interactions between Social Sciences and other sciences such as mathematics, computer science, engineering, etc… to initiate scientific and technological communities in Saclay, with the ability to associate corporate industrial laboratories or start-ups

3 PAIPPSI : an interdisciplinary project Economists : Grazia Cecere, Nicolas Soulié, Matthieu Manant, Serge Pajak, Alain Rallet, Fabrice Rochelandet, Jean-Michel Etienne, Nessrine Omrani (RITM, U. Paris Sud) Lawyers : Célia Zolinsky, Ola Mohty (DANTE, UVSQ), Alexandra Bensamoun, David Forest, Julie Groffe (CERDI – U. Paris Sud), Claire Levallois-Barth (TPT - Institut Mines-Télécom) Computer scientists : Sophie Chabridon (TSP - Institut Mines- Télécom) Consumers' Association : François Carlier (CLCV - Association nationale de défense des consommateurs et usagers)

4 PAIPPSI : « Pour une Analyse Interdisciplinaire des ‘Privacy Policies’ sur les Sites Internet » ‘Privacy policy’: « charte de vie privée », « Politique de confidentialité » (Google), « Politique d’utilisation des données » (Facebook), « Respect de la vie privée », « Vos données », « Informations vous concernant », etc… ‘An interdisciplinary analysis of 'Privacy Policies' on Websites’

5 What is a ‘privacy policy’ ? But, in practice, in the European Community, there is no law or regulation requiring the publication of such a document and certainly not that define the content A priori, a privacy policy is a document that discloses some or all of the ways a party gathers, uses, discloses and manages a web user or client's data The only requirement for a website is to respect the law concerning the processing of personal data!

6 So why do websites display a privacy policy while there is no legal obligation to do that ? Is it not paradoxical ?

7 The ‘privacy paradox’ (A. Acquisti) 'privacy paradox' : while Internet users are concerned about privacy, their behaviors do not mirror those concerns Discrepancy between stated privacy concerns and actual privacy settings

8 For websites : a ‘privacy policy paradox’ ? i.e., a gap between what is reported by the website (via the privacy policy ) and what is actually observed ?

9 Issues We talk about the best way to inform citizens about the collection and processing of personal data...... in the age of the ‘Internet of Things’ and ‘Big Data’...... while legislation is evolving…... at the time of criticisms of companies like Facebook, Twitter or Google's…... but without undermining the economic growth !

10 The firm’s behavior: Two examples of the gap between what is announced by the firm and what it actually does Ghostery TRUSTe

11 What is announced by ‘Ghostery’

12 (MIT Technology Review) GhostRank takes note of ads encountered and blocked, and sends that information back to advertisers so they can better formulate their ads to avoid being blocked … and what Ghostery actually does

13 TRUSTe : an online trust certification : Gap between what is announced by TRUSTe and what it actually does

14 Our project aims to analyze the potential mismatch between what is announced (by analyzing privacy policies) and what is observed: Is there a risk of ‘adverse selection’ ? What should you look for in a ‘good privacy policy’ ? How to insure that the website does what it says ? IT IS ALMOST IMPOSSIBLE TO ANSWER THESE QUESTIONS SCIENTIFICALLY WITHOUT AN INTERDICIPLINARY APPROACH The liar’s paradox : « I say that i am lying »

15 The contribution of lawyers For lawyers: the content analysis of privacy policies aims to see if what is said by the website is consistent with what the law requires It is needed to qualify (to code, for subsequent statistical processing) the content of a sample of privacy policies in the light of the law: Constitution, convention n° 108 du Conseil de l’Europe du 28 janvier 1981, charte des droits fondamentaux de l’Union européenne, directive n° 95/46/CE et loi du 6 janvier 1978 modifiée… … including the lessons learnt from past experiences: for example, ‘PrimeLife’, ‘P3P’, ‘Privacy Dictionary’; the littérature (i.e. Cranor and al.), article 29 (G29) working party…

16 The contribution of economists For economists, a privacy policy can be seen as a signal (cf. the signaling theory) in the on-line world, where web transactions are inherently asymmetrical vis-à- vis information privacy : the website has more knowledge than the visitor of what they will do to protect consumer privacy (c.f. Reay & al., 2009) 3 assumptions concerning the type of signal: 1. As there is no legal obligation, some websites may display nothing (no privacy policy), then, the signal is null (but this information is a signal!) 2. The content of a privacy policy is not 'random', this content shows a strategic behavior 3. The content of a privacy policy could result from a ‘herd behavior’ where a group of websites has adopted the same privacy policy

17 The contribution of computer scientists analyze websites tracking (for example by using and testing confidentiality tools such as ‘LightBeam’ or 'Privacy Dashboard'), study the collapse of the Platform for Privacy Preferences (P3P) protocol (cf. L. Cranor, 2012), a mechanism to help privacy protection on the Web. “This mechanism relies on the use of machine-readable privacy policies, posted on a website, and interpreted by client-side browser extension.” define and test a ‘privacy dictionary’ (cf. A. J. Gill & al., 2011).

18 Our partnership with the CLCV While the citizen is at the center of the debate and remains the supplier of personal data, users’ behavior is often set aside ! Our partnership with CLCV will enable us to focus our analysis in web user behavior

19 Afterwards ? ANR project-based research H2020 : The EU Framework Program for Research and Innovation New partnerships A new workshop (2015)

20 Thanks a lot !

Download ppt "The ‘PAIPPSI’ Research Project « Pour une Analyse Interdisciplinaire des ‘Privacy Policies’ sur les Sites Internet » ‘An interdisciplinary analysis of."

Similar presentations

Ads by Google