CyLab Usable Privacy and Security Laboratory 1 CyLab Usable Privacy and Security Laboratory Introduction to Privacy and P3P Fall

CyLab Usable Privacy and Security Laboratory 2 Privacy is hard to define “Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.” Robert C. Post, Three Concepts of Privacy, 89 Geo. L.J (2001).

CyLab Usable Privacy and Security Laboratory 3 Britney Spears: “We just need privacy” “You have to realize that we’re people and that we need, we just need privacy and we need our respect, and those are things that you have to have as a human being.” — Britney Spears 15 June 2006 NBC Dateline /SHOWBIZ/Music/06/15/ people.spears.reut/index. html

CyLab Usable Privacy and Security Laboratory 4 Only a goldfish can live without privacy…

CyLab Usable Privacy and Security Laboratory 5 Some definitions from the academic literature  Personhood  Intimacy  Secrecy  Contextual integrity  Limited access to the self  Control over information Most relevant to “usable privacy”

CyLab Usable Privacy and Security Laboratory 6 Limited access to self “Being alone.” - Shane (age 4) 1890: “the right to be let alone” - Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890) 1980: “our concern over our accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others attention. - Ruth Gavison, “Privacy and the Limits of the Law,” Yale Law Journal 89 (1980)

CyLab Usable Privacy and Security Laboratory 7 Control over information “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” “…each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication….” Alan Westin, Privacy and Freedom, 1967

CyLab Usable Privacy and Security Laboratory 8 Realizing limited access and control  Limited access – Laws to prohibit or limit collection, disclosure, contact – Technology to facilitate anonymous transactions, minimize disclosure  Control – Laws to mandate choice (opt-in/opt-out) – Technology to facilitate informed consent, keep track of and enforce privacy preferences

CyLab Usable Privacy and Security Laboratory 9 Privacy concerns seem inconsistent with behavior  People say they want privacy, but don’t always take steps to protect it  Many possible explanations – They don’t really care that much about privacy – They prefer immediate gratification to privacy protections that they won’t benefit from until later – They don’t understand the privacy implications of their behavior – The cost of privacy protection (including figuring out how to protect their privacy) is too high

CyLab Usable Privacy and Security Laboratory 10 Privacy policies  Inform consumers about privacy practices – Consumers can decide whether practices are acceptable, when to opt-out  Most policies require college-level skills to understand, long, change without notice – Few people read privacy policies  Existing privacy policies are not an effective way to inform consumers or give them privacy controls

CyLab Usable Privacy and Security Laboratory 11 Cost of reading privacy policies  What would happen if everyone read privacy policy for each site they visited once each month?  Time = 244/hours year  Cost = $3,534/year  National opportunity cost for time to read policies: $781 billion A. McDonald and L. Cranor. The Cost of Reading Privacy Policis. I/S: A Journal of Law and Policy for the Informaiton Society Privacy Year in Review Issue. authorDraft.pdfhttp://lorrie.cranor.org/pubs/readingPolicyCost- authorDraft.pdf

CyLab Usable Privacy and Security Laboratory 12 Privacy policy format study  Reading-comprehension and opinion questions about privacy policies in various formats  People could accurately answer questions where they could find answer by scanning or key word – Does Acme use cookies? (98%)  People had trouble with questions that required more reading comprehension – Does this policy allow Acme to put you on an marketing list? (71%) – Does this policy allow Acme to share your address with a marketing company that might put you on their marketing list? (52%)  Even well-written policies are not well-liked and difficult to use  Layered notices don’t appear to help much A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Technologies Symposium formats.pdfhttp://lorrie.cranor.org/pubs/authors-version-PETS- formats.pdf

CyLab Usable Privacy and Security Laboratory 13 Can we create a better privacy policy?  Easy to understand  Fast to find information  Easy to compare

CyLab Usable Privacy and Security Laboratory 14 Towards a privacy “nutrition label”  Standardized format – People learn where to look for answers to their questions – Facilitates side-by-side policy comparisons  Standardized language – People learn what the terminology means  Brief – People can get their questions answered quickly  Linked to extended view – People can drill down and get more details if needed

CyLab Usable Privacy and Security Laboratory 15 Nutrition labels for privacy  Iterative process  Next steps: put it online and make it interactive  u/privacyLabel u/privacyLabel P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A “Nutrition Label” for Privacy. SOUPS /2009/proceedings/a4- kelley.pdf /2009/proceedings/a4- kelley.pdf

CyLab Usable Privacy and Security Laboratory 16 Another approach to privacy communication  Privacy Finder search engine  Checks each search result for computer-readable P3P privacy policy, evaluates against user’s preferences  Composes search result page with privacy meter annotations and links to “Privacy Report”  Allows people to comparison shop for privacy 

CyLab Usable Privacy and Security Laboratory 17 Demo

CyLab Usable Privacy and Security Laboratory 18

CyLab Usable Privacy and Security Laboratory 19

CyLab Usable Privacy and Security Laboratory 20

CyLab Usable Privacy and Security Laboratory 21 Impact of privacy information on decision making  Online shopping study conducted at CMU lab  Paid participants to make online purchases with their own credit cards, exposing their own personal information  Participants paid fixed amount and told to keep the change – real tradeoff between money and privacy  Studies demonstrate that when readily accessible and comparable privacy information is presented in search results, many people will pay more for better privacy J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. WEIS S. Egelman, J. Tsai, L. Cranor, and A. Acquisti Timing is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI

CyLab Usable Privacy and Security Laboratory 22 Requirements for meaningful control  Individuals must understand what options they have  Individuals must understand implications of their options  Individuals must have the means to exercise options  Costs must be reasonable – Money, time, convenience, benefits

CyLab Usable Privacy and Security Laboratory 23 Location-Based Services  Surveyed 89 location-sharing services – 17% had easily-accessible privacy settings – 12% allowed users to specify rules to share location with groups of their friends – Only 1 had time- or location-based rules J. Tsai, P. Kelley, L. Cranor, and N. Sadeh. Locatin-Sharing Technologies: Privacy Risks and Controls. TPRC

CyLab Usable Privacy and Security Laboratory 24 Privacy in a location finding service

CyLab Usable Privacy and Security Laboratory 25 Privacy rules

CyLab Usable Privacy and Security Laboratory 26 Feedback

CyLab Usable Privacy and Security Laboratory 27 Introduction to the Platform for Privacy Preferences (P3P)

CyLab Usable Privacy and Security Laboratory 28 P3P Basics  P3P provides a standard XML format that web sites use to encode their privacy policies  Sites also provide XML “policy reference files” to indicate which policy applies to which part of the site  Sites can optionally provide a “compact policy” by configuring their servers to issue a special P3P header when cookies are set  No special server software required  User software to read P3P policies called a “P3P user agent” – Built into some web browsers – Plug-ins and services, e.g.

CyLab Usable Privacy and Security Laboratory 29 P3P in Internet Explorer Privacy icon on status bar indicates that a cookie has been blocked – pop- up appears the first time the privacy icon appears Automatic processing of compact policies only; third-party cookies without compact policies blocked by default

CyLab Usable Privacy and Security Laboratory 30 Users can click on privacy icon for list of cookies; privacy summaries are available at sites that are P3P-enabled

CyLab Usable Privacy and Security Laboratory 31 Privacy summary report is generated automatically from full P3P policy

CyLab Usable Privacy and Security Laboratory 32 Other P3P User Agents Privacy Nutrition Label

CyLab Usable Privacy and Security Laboratory 33 What’s in a P3P policy?  Name and contact information for site  The kind of access provided  Mechanisms for resolving privacy disputes  The kinds of data collected  How collected data is used, and whether individuals can opt-in or opt-out of any of these uses  Whether/when data may be shared and whether there is opt-in or opt-out  Data retention policy

CyLab Usable Privacy and Security Laboratory 34 Assertions in a P3P Policy  General assertions – Location of human-readable policies and opt-out mechanisms – discuri, opturi attributes of – Indication that policy is for testing only – (optional) – Web site contact information – – Access information – – Information about dispute resolution – (optional)  Data-Specific Assertions – Consequence of providing data – (optional) – Indication that no identifiable data is collected – (optional) – How data will be used – – With whom data may be shared – – Whether opt-in and/or opt-out is available – required attribute of and – Data retention policy – – What kind of data is collected –

CyLab Usable Privacy and Security Laboratory 35 Web Site Adoption of P3P  Ecommerce sites more likely to implement P3P – 10% of results from typical search terms have P3P – 21% of results from ecommerce search terms have P3P  More popular sites are more likely to implement P3P – 5% of sites in our cache have P3P – 9% of 30K most clicked on domains have P3P – 17% of clicks to 30K most clicked on domains have P3P  Searches frequently return P3P-enabled hits – 83% of searches had at least one P3P-enabled site in top 20 results – 68% of searches had at least one P3P-enabled site in top 10 results L. Cranor, S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury. P3P Deployment on Websites. Electronic Commerce Research and Applications, 2008P3P Deployment on Websites. Electronic Commerce Research and Applications, 2008

CyLab Usable Privacy and Security Laboratory 36 Legal Issues  P3P specification does not address legal standing of P3P policies or include enforcement mechanisms  P3P specification requires P3P policies to be consistent with natural-language privacy policies – P3P policies and natural-language policies are not required to contain the same level of detail – Typically natural-language policies contain more detailed explanations of specific practices  In some jurisdictions, regulators and courts may treat P3P policies equivalently to natural language privacy policies  The same corporate attorneys and policy makers involved in drafting natural-language privacy policy should be involved in creating P3P policy

CyLab Usable Privacy and Security Laboratory 37 Privacy policyP3P policy Designed to be read by a humanDesigned to be read by a computer Can contain fuzzy language with “wiggle room” Mostly multiple choice – sites must place themselves in one “bucket” or another Can include as much or as little information as a site wants Must include disclosures in every required area Easy to provide detailed explanations Limited ability to provide detailed explanations Sometimes difficult for users to determine boundaries of what it applies to and when it might change Precisely scoped Web site controls presentationUser agent controls presentation

CyLab Usable Privacy and Security Laboratory 38 P3P Deployment Overview  Create a privacy policy  Analyze the use of cookies and third-party content on your site  Determine whether you want to have one P3P policy for your entire site or different P3P policies for different parts of your site  Create a P3P policy (or policies) for your site  Create a policy reference file for your site  Configure your server for P3P  Test your site to make sure it is properly P3P enabled –

CyLab Usable Privacy and Security Laboratory 39 IBM P3P Policy Editor Sites can list the types of data they collect And view the corresponding P3P policy

CyLab Usable Privacy and Security Laboratory 40 Internet Explorer Cookie Blocking  Default cookie-blocking behavior in Internet Explorer (version 6, 7, 8) – Block third-party cookies without P3P compact policies – Block third-party cookies with “unsatisfactory” compact policies – IE considers cookies third-party if they come from a different domain name than the page they are embedded in, even if both domains are owned by same company  IE considers cookies unsatisfactory if – They are associated with PII that is shared or used for marketing, profiling, or unknown purposes – And no opt-out is available L. Cranor. Help! IE6 Is Blocking My Cookies.

CyLab Usable Privacy and Security Laboratory 41 Engineering privacy

CyLab Usable Privacy and Security Laboratory 42 How Privacy Rights are Protected  By policy – Protection through laws and organizational privacy policies – Must be enforced – Often requires mechanisms to obtain and record consent – Transparency facilitates choice and accountability – Technology facilitates compliance and reduces the need to rely solely on trust and external enforcement – Technology reduces or eliminates any form of manual processing or intervention by humans – Violations still possible due to bad actors, mistakes, government mandates  By architecture – Protection through technology – Reduces the need to rely on trust and external enforcement – Violations only possible if technology fails or the availability of new data or technology defeats protections – Often viewed as too expensive or restrictive Limits the amount of data available for data mining, R&D, targeting, other business purposes May require more complicated system architecture, expensive cryptographic operations Pay now or pay later

CyLab Usable Privacy and Security Laboratory 43 Privacy stages identifiability Approach to privacy protection Linkability of data to personal identifiers System Characteristics 0identified privacy by policy (notice and choice) linked unique identifiers across databases contact information stored with profile information 1 pseudonymous linkable with reasonable & automatable effort no unique identifies across databases common attributes across databases contact information stored separately from profile or transaction information 2 privacy by architecture not linkable with reasonable effort no unique identifiers across databases no common attributes across databases random identifiers contact information stored separately from profile or transaction information collection of long term person characteristics on a low level of granularity technically enforced deletion of profile details at regular intervals 3anonymousunlinkable no collection of contact information no collection of long term person characteristics k-anonymity with large value of k Sarah Spiekermann and Lorrie Faith Cranor. Engineering Privacy. IEEE Transactions on Software Engineering. Vo. 35, No. 1, January/February, 2009, pp Degrees of Identifiability

CyLab Usable Privacy and Security Laboratory 44 Cylab Usable Privacy and Security Laboratory