Presentation is loading. Please wait.

Presentation is loading. Please wait.

CyLab Usable Privacy and Security Laboratory 1 CyLab Usable Privacy and Security Laboratory Introduction.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "CyLab Usable Privacy and Security Laboratory 1 CyLab Usable Privacy and Security Laboratory Introduction."— Presentation transcript:

1 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Introduction to Privacy and P3P Fall 2009 1

2 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 2 Privacy is hard to define “Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.” Robert C. Post, Three Concepts of Privacy, 89 Geo. L.J. 2087 (2001).

3 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 3 Britney Spears: “We just need privacy” “You have to realize that we’re people and that we need, we just need privacy and we need our respect, and those are things that you have to have as a human being.” — Britney Spears 15 June 2006 NBC Dateline http://www.cnn.com/2006 /SHOWBIZ/Music/06/15/ people.spears.reut/index. html

4 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 4 Only a goldfish can live without privacy…

5 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 5 Some definitions from the academic literature  Personhood  Intimacy  Secrecy  Contextual integrity  Limited access to the self  Control over information Most relevant to “usable privacy”

6 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 6 Limited access to self “Being alone.” - Shane (age 4) 1890: “the right to be let alone” - Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890) 1980: “our concern over our accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others attention. - Ruth Gavison, “Privacy and the Limits of the Law,” Yale Law Journal 89 (1980)

7 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 7 Control over information “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” “…each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication….” Alan Westin, Privacy and Freedom, 1967

8 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 8 Realizing limited access and control  Limited access – Laws to prohibit or limit collection, disclosure, contact – Technology to facilitate anonymous transactions, minimize disclosure  Control – Laws to mandate choice (opt-in/opt-out) – Technology to facilitate informed consent, keep track of and enforce privacy preferences

9 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 9 Privacy concerns seem inconsistent with behavior  People say they want privacy, but don’t always take steps to protect it  Many possible explanations – They don’t really care that much about privacy – They prefer immediate gratification to privacy protections that they won’t benefit from until later – They don’t understand the privacy implications of their behavior – The cost of privacy protection (including figuring out how to protect their privacy) is too high

10 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 10 Privacy policies  Inform consumers about privacy practices – Consumers can decide whether practices are acceptable, when to opt-out  Most policies require college-level skills to understand, long, change without notice – Few people read privacy policies  Existing privacy policies are not an effective way to inform consumers or give them privacy controls

11 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 11 Cost of reading privacy policies  What would happen if everyone read privacy policy for each site they visited once each month?  Time = 244/hours year  Cost = $3,534/year  National opportunity cost for time to read policies: $781 billion A. McDonald and L. Cranor. The Cost of Reading Privacy Policis. I/S: A Journal of Law and Policy for the Informaiton Society. 2008 Privacy Year in Review Issue.http://lorrie.cranor.org/pubs/readingPolicyCost- authorDraft.pdfhttp://lorrie.cranor.org/pubs/readingPolicyCost- authorDraft.pdf

12 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 12 Privacy policy format study  Reading-comprehension and opinion questions about privacy policies in various formats  People could accurately answer questions where they could find answer by scanning or key word – Does Acme use cookies? (98%)  People had trouble with questions that required more reading comprehension – Does this policy allow Acme to put you on an email marketing list? (71%) – Does this policy allow Acme to share your email address with a marketing company that might put you on their email marketing list? (52%)  Even well-written policies are not well-liked and difficult to use  Layered notices don’t appear to help much A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Technologies Symposium 2009. http://lorrie.cranor.org/pubs/authors-version-PETS- formats.pdfhttp://lorrie.cranor.org/pubs/authors-version-PETS- formats.pdf

13 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 13 Can we create a better privacy policy?  Easy to understand  Fast to find information  Easy to compare

14 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 14 Towards a privacy “nutrition label”  Standardized format – People learn where to look for answers to their questions – Facilitates side-by-side policy comparisons  Standardized language – People learn what the terminology means  Brief – People can get their questions answered quickly  Linked to extended view – People can drill down and get more details if needed

15 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 15 Nutrition labels for privacy  Iterative process  Next steps: put it online and make it interactive  http://cups.cs.cmu.ed u/privacyLabel http://cups.cs.cmu.ed u/privacyLabel P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A “Nutrition Label” for Privacy. SOUPS 2009. http://cups.cs.cmu.edu/soups /2009/proceedings/a4- kelley.pdf http://cups.cs.cmu.edu/soups /2009/proceedings/a4- kelley.pdf

16 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 16 Another approach to privacy communication  Privacy Finder search engine  Checks each search result for computer-readable P3P privacy policy, evaluates against user’s preferences  Composes search result page with privacy meter annotations and links to “Privacy Report”  Allows people to comparison shop for privacy  http://privacyfinder.org/ http://privacyfinder.org/

17 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 17 Demo

18 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 18

19 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 19

20 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 20

21 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 21 Impact of privacy information on decision making  Online shopping study conducted at CMU lab  Paid participants to make online purchases with their own credit cards, exposing their own personal information  Participants paid fixed amount and told to keep the change – real tradeoff between money and privacy  Studies demonstrate that when readily accessible and comparable privacy information is presented in search results, many people will pay more for better privacy J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. WEIS 2007. http://weis2007.econinfosec.org/papers/57.pdf http://weis2007.econinfosec.org/papers/57.pdf S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. 2009. Timing is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI2009. http://www.guanotronic.com/~serge/papers/chi09a.pdf http://www.guanotronic.com/~serge/papers/chi09a.pdf http://privacyfinder.org/

22 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 22 Requirements for meaningful control  Individuals must understand what options they have  Individuals must understand implications of their options  Individuals must have the means to exercise options  Costs must be reasonable – Money, time, convenience, benefits

23 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 23 Location-Based Services  Surveyed 89 location-sharing services – 17% had easily-accessible privacy settings – 12% allowed users to specify rules to share location with groups of their friends – Only 1 had time- or location-based rules J. Tsai, P. Kelley, L. Cranor, and N. Sadeh. Locatin-Sharing Technologies: Privacy Risks and Controls. TPRC 2009. http://cups.cs.cmu.edu/LBSprivacy/ http://cups.cs.cmu.edu/LBSprivacy/

24 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 24 Privacy in a location finding service http://locaccino.org/

25 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 25 Privacy rules

26 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 26 Feedback

27 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 27 Introduction to the Platform for Privacy Preferences (P3P)

28 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 28 P3P Basics  P3P provides a standard XML format that web sites use to encode their privacy policies  Sites also provide XML “policy reference files” to indicate which policy applies to which part of the site  Sites can optionally provide a “compact policy” by configuring their servers to issue a special P3P header when cookies are set  No special server software required  User software to read P3P policies called a “P3P user agent” – Built into some web browsers – Plug-ins and services, e.g. http://privacyfinder.org/http://privacyfinder.org/

29 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 29 P3P in Internet Explorer Privacy icon on status bar indicates that a cookie has been blocked – pop- up appears the first time the privacy icon appears Automatic processing of compact policies only; third-party cookies without compact policies blocked by default

30 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 30 Users can click on privacy icon for list of cookies; privacy summaries are available at sites that are P3P-enabled

31 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 31 Privacy summary report is generated automatically from full P3P policy

32 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 32 Other P3P User Agents http://privacyfinder.org/ Privacy Nutrition Label

33 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 33 What’s in a P3P policy?  Name and contact information for site  The kind of access provided  Mechanisms for resolving privacy disputes  The kinds of data collected  How collected data is used, and whether individuals can opt-in or opt-out of any of these uses  Whether/when data may be shared and whether there is opt-in or opt-out  Data retention policy

34 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 34 Assertions in a P3P Policy  General assertions – Location of human-readable policies and opt-out mechanisms – discuri, opturi attributes of – Indication that policy is for testing only – (optional) – Web site contact information – – Access information – – Information about dispute resolution – (optional)  Data-Specific Assertions – Consequence of providing data – (optional) – Indication that no identifiable data is collected – (optional) – How data will be used – – With whom data may be shared – – Whether opt-in and/or opt-out is available – required attribute of and – Data retention policy – – What kind of data is collected –

35 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 35 Web Site Adoption of P3P  Ecommerce sites more likely to implement P3P – 10% of results from typical search terms have P3P – 21% of results from ecommerce search terms have P3P  More popular sites are more likely to implement P3P – 5% of sites in our cache have P3P – 9% of 30K most clicked on domains have P3P – 17% of clicks to 30K most clicked on domains have P3P  Searches frequently return P3P-enabled hits – 83% of searches had at least one P3P-enabled site in top 20 results – 68% of searches had at least one P3P-enabled site in top 10 results L. Cranor, S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury. P3P Deployment on Websites. Electronic Commerce Research and Applications, 2008P3P Deployment on Websites. Electronic Commerce Research and Applications, 2008

36 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 36 Legal Issues  P3P specification does not address legal standing of P3P policies or include enforcement mechanisms  P3P specification requires P3P policies to be consistent with natural-language privacy policies – P3P policies and natural-language policies are not required to contain the same level of detail – Typically natural-language policies contain more detailed explanations of specific practices  In some jurisdictions, regulators and courts may treat P3P policies equivalently to natural language privacy policies  The same corporate attorneys and policy makers involved in drafting natural-language privacy policy should be involved in creating P3P policy

37 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 37 Privacy policyP3P policy Designed to be read by a humanDesigned to be read by a computer Can contain fuzzy language with “wiggle room” Mostly multiple choice – sites must place themselves in one “bucket” or another Can include as much or as little information as a site wants Must include disclosures in every required area Easy to provide detailed explanations Limited ability to provide detailed explanations Sometimes difficult for users to determine boundaries of what it applies to and when it might change Precisely scoped Web site controls presentationUser agent controls presentation

38 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 38 P3P Deployment Overview  Create a privacy policy  Analyze the use of cookies and third-party content on your site  Determine whether you want to have one P3P policy for your entire site or different P3P policies for different parts of your site  Create a P3P policy (or policies) for your site  Create a policy reference file for your site  Configure your server for P3P  Test your site to make sure it is properly P3P enabled – http://www.w3.org/P3P/validator.html http://www.w3.org/P3P/validator.html

39 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 39 IBM P3P Policy Editor Sites can list the types of data they collect And view the corresponding P3P policy

40 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 40 Internet Explorer Cookie Blocking  Default cookie-blocking behavior in Internet Explorer (version 6, 7, 8) – Block third-party cookies without P3P compact policies – Block third-party cookies with “unsatisfactory” compact policies – IE considers cookies third-party if they come from a different domain name than the page they are embedded in, even if both domains are owned by same company  IE considers cookies unsatisfactory if – They are associated with PII that is shared or used for marketing, profiling, or unknown purposes – And no opt-out is available L. Cranor. Help! IE6 Is Blocking My Cookies. http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html

41 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 41 Engineering privacy

42 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 42 How Privacy Rights are Protected  By policy – Protection through laws and organizational privacy policies – Must be enforced – Often requires mechanisms to obtain and record consent – Transparency facilitates choice and accountability – Technology facilitates compliance and reduces the need to rely solely on trust and external enforcement – Technology reduces or eliminates any form of manual processing or intervention by humans – Violations still possible due to bad actors, mistakes, government mandates  By architecture – Protection through technology – Reduces the need to rely on trust and external enforcement – Violations only possible if technology fails or the availability of new data or technology defeats protections – Often viewed as too expensive or restrictive Limits the amount of data available for data mining, R&D, targeting, other business purposes May require more complicated system architecture, expensive cryptographic operations Pay now or pay later

43 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 43 Privacy stages identifiability Approach to privacy protection Linkability of data to personal identifiers System Characteristics 0identified privacy by policy (notice and choice) linked unique identifiers across databases contact information stored with profile information 1 pseudonymous linkable with reasonable & automatable effort no unique identifies across databases common attributes across databases contact information stored separately from profile or transaction information 2 privacy by architecture not linkable with reasonable effort no unique identifiers across databases no common attributes across databases random identifiers contact information stored separately from profile or transaction information collection of long term person characteristics on a low level of granularity technically enforced deletion of profile details at regular intervals 3anonymousunlinkable no collection of contact information no collection of long term person characteristics k-anonymity with large value of k Sarah Spiekermann and Lorrie Faith Cranor. Engineering Privacy. IEEE Transactions on Software Engineering. Vo. 35, No. 1, January/February, 2009, pp. 67-82. http://ssrn.com/abstract=1085333http://ssrn.com/abstract=1085333 Degrees of Identifiability

44 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 44 Cylab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/

Download ppt "CyLab Usable Privacy and Security Laboratory 1 CyLab Usable Privacy and Security Laboratory Introduction."

Similar presentations

Performance Indicator 4.08

Performance Indicator 4.08
Week 6 Lecture Part 2 Databases in Electronic Commerce Samuel Conn, Asst. Professor.

Week 6 Lecture Part 2 Databases in Electronic Commerce Samuel Conn, Asst. Professor.
UDDI, Discovery and Web Services Registries. Introduction To facilitate e-commerce, companies needed a way to locate one another and exchange information.

UDDI, Discovery and Web Services Registries. Introduction To facilitate e-commerce, companies needed a way to locate one another and exchange information.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
1 The End Of The Privacy Policy As We Know It Fran Maier President TRUSTe.

1 The End Of The Privacy Policy As We Know It Fran Maier President TRUSTe.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Engineering Privacy November 6, 2008.

C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Engineering Privacy November 6, 2008.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Introduction to Privacy January.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Introduction to Privacy January.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Design for Privacy February 20,

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Design for Privacy February 20,
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Introduction.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Introduction.
Privacy and Sensor Networks: Do Sensor Networks fit with Fair Information Practices Deirdre K. Mulligan Acting Clinical Professor of Law Director, Samuelson.

Privacy and Sensor Networks: Do Sensor Networks fit with Fair Information Practices Deirdre K. Mulligan Acting Clinical Professor of Law Director, Samuelson.
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
C MU U sable P rivacy and S ecurity Laboratory Philosophical definitions of privacy Lorrie Faith Cranor October 19, 2007.

C MU U sable P rivacy and S ecurity Laboratory Philosophical definitions of privacy Lorrie Faith Cranor October 19, 2007.
Computers and Society Carnegie Mellon University Spring 2007 Cranor/Tongia 1 Regulating Online Speech / Privacy.

Computers and Society Carnegie Mellon University Spring 2007 Cranor/Tongia 1 Regulating Online Speech / Privacy.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Data Privacy.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Data Privacy.
C MU U sable P rivacy and S ecurity Laboratory Making privacy visible Lorrie Faith Cranor October 19, 2007.

C MU U sable P rivacy and S ecurity Laboratory Making privacy visible Lorrie Faith Cranor October 19, 2007.
Institute of Information Systems, Humboldt University, 2006· Privacy Engineering Sarah Spiekermann & Lorrie Faith Cranor DIMACS Workshop, Rutgers University.

Institute of Information Systems, Humboldt University, 2006· Privacy Engineering Sarah Spiekermann & Lorrie Faith Cranor DIMACS Workshop, Rutgers University.

Similar presentations

Ads by Google