1. 1 Privacy Online Jane Turk, Ph.D. CIS 610 Summer 2003

2. 2 Outline background & perspectives surveys of current Internet use children’s online privacy consumer online privacy possible solution routes

3. 3 Business Perspective Direct Marketing: > $176 billion a year over 10,000 compiled & publicly traded databases on market today private databases, with little or no regulation except in financial industry ability to capture info about users on Web target marketing

4. 4 Privacy Perspective protecting privacy of consumer info is “very” important to consumers consumers don’t know scope of data maintained on them strong privacy standards develop trust in users encourage development of online commerce

5. 5 Major Concerns of Consumers companies they patronize will provide their information to other companies without their permission (75%) their transactions may not be secure (70%) hackers will steal their personal data (69%) source: Harris survey, Nov 2001

6. 6 Most Important Elements to be Verified security measures are adequate (90%) company does not release customer personal data without permission (89%) access within the company is limited (84%) company is only collecting info that its privacy policies dictate (84%) info use or sharing follows stated privacy policies (81%) source: Harris survey, Nov 2001

7. 7 Suggested Remedy verify privacy policy by a third party (and 91% would do more business) online seal of approval does not necessarily verify BBBOnLine and Truste audit by major accounting firm PricewaterhouseCoopers source: Harris survey, Nov 2001

8. 8 Fair Information Principles consumers be given: notice of entity’s info practices choice/consent with respect to secondary use & dissemination of info collected from or about them access to info about them collector assure security & integrity of info provide enforcement mechanism

9. 9 Public Records Online NYC voter registration site NJ info on those licensed by state registries of sex offenders federal judges’ recommendation to put most civil proceedings online but to restrict criminal proceedings good source: www.epic.org/privacy/publicrecords www.epic.org/privacy/publicrecords

10. 10 Children’s Privacy Federal Trade Commission: children are avid consumers and influence spending information collection targets are ages 8- 11 business goal: microtarget individual child CME 1996 study exposed the issues

11. 11 FTC “Kids Privacy Surf Day” “snapshot’, not comprehensive survey 126 sites listed by Yahooligans! results announced Dec 1997 86% of sites surveyed were collecting personally identifiable info on children fewer than 30% of sites had privacy policy another review March 1998

12. 12 FTC 1998 Report: Children’s Sites of 212 sites directed at children 89% collect personally identifiable info directly from children 54% disclose info collection practices fewer than 10% provide for some form of parental control

13. 13 Children’s Online Privacy Protection Act (1998) parental consent required for collection, use, disclosure of personal information from children under 13 parents may prevent further use or collection parents may review information

14. 14 Privacy Journal Recommendations parent approve kid’s giving email address totally involved in kid’s giving physical address order products in parent’s name kid can use (false) nickname never use name and address to buy

15. 15 Annenberg 2000 Study 29% of parents would give identifying info in exchange for a free gift worth $100 45% of kids ages 10-17 would 39% of girls, 54% of boys  parents need help

16. 16 Cookies passive files stored on hard drives of Netscape & Microsoft IE users store a customer ID number for site/network used by online advertisers to track a user’s movements profiling, preferences issue: transparency

17. 17 Why Cookies? HTTP is stateless: keeps no information from a connection with cookies, a Web page can “remember” you from your last visit enable much of interactivity customization, shopping baskets

18. 18 Online Profiling: How and Where cookies, web bugs, URLs, info you provide anonymous, unless you identify yourself in customer database of the site/network pages/sites visited DoubleClick tracks movement on 1500 sites

19. 19 Online Profiling: Pros and Cons : deliver desired content to user : provide information about interests of individual : aggregate info about site  info collected often without knowledge or consent

20. 20 Spyware conducts surveillance on a computer usually placed without knowledge or consent of computer owner violates basic FIPS e.g., “phone home” programs, Web bugs, home web monitoring

21. 21 Web Bugs clear GIFs, embedded images transmit info when page is viewed: where, when designed to monitor who is viewing page e.g., HTML mail recent SW enables detection

22. 22 The Net NEVER Forgets Internet Archive scoops up the Web postings to Usenet groups are saved in Deja News now http://groups.google.com posts to email forums and chat services are searchable è public record

23. 23 Costs to Business of Not Protecting Privacy sales lost may be $18 billion older business models may be less effective than privacy-friendly models lost opportunities and higher costs for imported personal data “safe harbor” includes complying with FIPS source: Robert Gellman, “Privacy, Consumers, and Costs”

24. 24 Costs to Consumers When Privacy Is Not Protected higher prices stopping junk mail and telemarketing calls avoiding identity theft protecting privacy on the Internet source: Robert Gellman, “Privacy, Consumers, and Costs”

25. 25 Solution Routes education, including fair information principles best business practices industry self-regulation technology legislation

26. 26 Industry Self-Regulation for privacy depends on posted privacy policies coming: integrated suites of tools online privacy seal programs e.g., TRUSTe, BBBOnLine implement some FIPS and monitor compliance public audit of privacy policies e.g., www.thedailyapple.com

27. 27 FTC Action Against Toysmart privacy policy promised never to divulge customer information certified by TRUSTe FTC could intervene bankrupt company advertised “databases and customer lists” for sale FTC sued to prevent sale of customer info

28. 28 Privacy Enhancing Technologies (PETs) seek to eliminate use of personal data from transactions or give direct control for disclosure of personal information to individual concerned standard format for ratings systems: Platform for Internet Content Selection machine-to-machine protocol for data exchange: P3P (Platform for Privacy Preferences) anonymous use

29. 29 Proposed Online Personal Privacy Act (S. 2201 in 107th) opt-in for sensitive personally identifiable info opt-out for less sensitive info follows most FIPS preempts state legislation on online privacy

30. 30 Sources Adkinson, William et al. “Privacy Online: A report on the information practices and policies of commercial web sites,” March 2002. The Progress and Freedom Foundation. Center for Democracy and Technology. “Guide to Online Privacy,” http://www.cdt.org/privacy/guide/introduction/ http://www.cdt.org/privacy/guide/introduction/ Electronic Privacy Information Center. "Surfer Beware III: Privacy Policies Without Privacy Protection." Dec. 1999

31. 31 Federal Trade Commission. “Privacy Online: Fair Information Practices in the Electronic Marketplace,” May 2000, www.ftc.gov/reports/privacy2000/privacy2000.pdf www.ftc.gov/reports/privacy2000/privacy2000.pdf  Gellman, Robert. “Privacy, Consumers, and Costs: how the lack of privacy costs consumers and why business studies of privacy costs are biased and incomplete,” March 2002. www.epic.org/reports/dmfprivacy.html www.epic.org/reports/dmfprivacy.html

32. 32 Goldman, Janlori and Zoe Hudson and Richard M. Smith. “Privacy Report on the Privacy Policies and practices of Health Web Sites”. Sponsored by California HealthCare Foundation, January 2000, http://admin.chcf.org/documents/ehealth/privacyweb report.pdf Pew Internet and American Life Project. “Trust and Privacy Online: Why Americans Want to Rewrite the Rules,” Aug 2000, www.pewinternet.org/reports/pdfs/PIP_Trust_Privacy _Report.pdf