Privacy
Download
1 / 57

Week 9 slides - PowerPoint PPT Presentation


  • 226 Views
  • Uploaded on

Privacy Week 9 - March 15, 17 Privacy policies Policies let consumers know about site’s privacy practices Consumers can decide whether practices are acceptable, when to opt-out Presence increases consumer trust Make companies subject to FTC privacy-related enforcement

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Week 9 slides' - sandra_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Privacy l.jpg

Privacy

Week 9 - March 15, 17


Privacy policies l.jpg
Privacy policies

  • Policies let consumers know about site’s privacy practices

  • Consumers can decide whether practices are acceptable, when to opt-out

  • Presence increases consumer trust

  • Make companies subject to FTC privacy-related enforcement

  • Rapid adoption 1998-2001*

    * G.R. Milne and M.J. Culnan 2002. Using the Content of Online Privacy Notices to Inform Public Policy: A Longitudinal Analysis of the 1998-2002 US Web Surveys. The Information Society 18, 5, 245-359.


Privacy policy problems l.jpg
Privacy policy problems

  • BUT policies are often

    • difficult to understand

    • hard to find

    • take a long time to read

    • change without notice


Privacy policy components l.jpg

Identification of site, scope, contact info

Types of information collected

Including information about cookies

How information is used

Conditions under which information might be shared

Information about opt-in/opt-out

Information about access

Information about data retention policies

Information about seal programs

Security assurances

Children’s privacy

Privacy policy components

There is lots of informationto conveys -- but policyshould be brief andeasy-to-read too!

What is opt-in? What is opt-out?



Web privacy concerns l.jpg
Web privacy concerns privacy concerns?

  • Data is often collected silently

    • Web allows large quantities of data to be collected inexpensively and unobtrusively

  • Data from multiple sources may be merged

    • Non-identifiable information can become identifiable when merged

  • Data collected for business purposes may be used in civil and criminal proceedings

  • Users given no meaningful choice

    • Few sites offer alternatives


Browser chatter l.jpg

Browsers chatter about privacy concerns?

IP address, domain name, organization,

Referring page

Platform: O/S, browser

What information is requested

URLs and search terms

Cookies

To anyone who might be listening

End servers

System administrators

Internet Service Providers

Other third parties

Advertising networks

Anyone who might subpoena log files later

Browser Chatter


Typical http request with cookie l.jpg
Typical HTTP request with cookie privacy concerns?

GET /retail/searchresults.asp?qu=beer HTTP/1.0

Referer: http://www.us.buy.com/default.asp

User-Agent: Mozilla/4.75 [en] (X11; U; NetBSD 1.5_ALPHA i386)

Host: www.us.buy.com

Accept: image/gif, image/jpeg, image/pjpeg, */*

Accept-Language:en

Cookie:buycountry=us; dcLocName=Basket; dcCatID=6773; dcLocID=6773; dcAd=buybasket; loc=; parentLocName=Basket; parentLoc=6773; ShopperManager%2F=ShopperManager%2F=66FUQULL0QBT8MMTVSC5MMNKBJFWDVH7; Store=107; Category=0


Referer log problems l.jpg
Referer log problems privacy concerns?

  • GET methods result in values in URL

  • These URLs are sent in the referer header to next host

  • Example:

    http://www.merchant.com/cgi_bin/order?name=Tom+Jones&address=here+there&credit+card=234876923234&PIN=1234&->index.html

  • Access log example


Cookies l.jpg
Cookies privacy concerns?

  • What are cookies?

  • What are people concerned about cookies?

  • What useful purposes do cookies serve?


Cookies 101 l.jpg
Cookies 101 privacy concerns?

  • Cookies can be useful

    • Used like a staple to attach multiple parts of a form together

    • Used to identify you when you return to a web site so you don’t have to remember a password

    • Used to help web sites understand how people use them

  • Cookies can do unexpected things

    • Used to profile users and track their activities, especially across web sites


How cookies work the basics l.jpg
How cookies work – the basics privacy concerns?

  • A cookie stores a small string of characters

  • A web site asks your browser to “set” a cookie

  • Whenever you return to that site your browser sends the cookie back automatically

Please store cookie xyzzy

Here is cookie xyzzy

site

browser

site

browser

First visit to site

Later visits


How cookies work advanced l.jpg

Cookies are only sent back to the “site” that set them – but this may be any host in domain

Sites setting cookies indicate path, domain, and expiration for cookies

Cookies can store user info or a database key that is used to look up user info – either way the cookie enables info to be linked to the current browsing session

How cookies work – advanced

Send me with requests for index.html on y.x.com for this session only

Send me with any request to x.com until 2008

DatabaseUsers …

Email …

Visits …

User=Joe

[email protected]

Visits=13

User=4576904309


Cookie terminology l.jpg
Cookie terminology – but this may be any host in domain

  • Cookie Replay – sending a cookie back to a site

  • Session cookie – cookie replayed only during current browsing session

  • Persistent cookie – cookie replayed until expiration date

  • First-party cookie – cookie associated with the site the user requested

  • Third-party cookie – cookie associated with an image, ad, frame, or other content from a site with a different domain name that is embedded in the site the user requested

    • Browser interprets third-party cookie based on domain name, even if both domains are owned by the same company


Web bugs l.jpg
Web bugs – but this may be any host in domain

  • Invisible “images” (1-by-1 pixels, transparent) embedded in web pages and cause referer info and cookies to be transferred

  • Also called web beacons, clear gifs, tracker gifs,etc.

  • Work just like banner ads from ad networks, but you can’t see them unless you look at the code behind a web page

  • Also embedded in HTML formatted email messages, MS Word documents, etc.

  • For software to detect web bugs see: http://www.bugnosis.org


How data can be linked l.jpg
How data can be linked – but this may be any host in domain

  • Every time the same cookie is replayed to a site, the site may add information to the record associated with that cookie

    • Number of times you visit a link, time, date

    • What page you visit

    • What page you visited last

    • Information you type into a web form

  • If multiple cookies are replayed together, they are usually logged together, effectively linking their data

    • Narrow scoped cookie might get logged with broad scoped cookie


Ad networks l.jpg

search for medical information – but this may be any host in domain

buy CD

replay cookie

set cookie

Ad

Ad

Ad networks

Ad companycan get yourname and address fromCD order andlink them to your search

Search Service

CD Store


What ad networks may know l.jpg

Personal data: – but this may be any host in domain

Email address

Full name

Mailing address (street, city, state, and Zip code)

Phone number

Transactional data:

Details of plane trips

Search phrases used at search engines

Health conditions

What ad networks may know…

“It was not necessary for me to click on the banner ads for information to be sent to DoubleClick servers.”

– Richard M. Smith


Online and offline merging l.jpg
Online and offline merging – but this may be any host in domain

  • In November 1999, DoubleClick purchased Abacus Direct, a company possessing detailed consumer profiles on more than 90% of US households.

  • In mid-February 2000 DoubleClick announced plans to merge “anonymous” online data with personal information obtained from offline databases

  • By the first week in March 2000 the plans were put on hold

    • Stock dropped from $125 (12/99) to $80 (03/00)


Offline data goes online l.jpg
Offline data goes online… – but this may be any host in domain

The Cranor family’s 25 most

frequentgrocerypurchases (sorted by nutritional value)!


Subpoenas l.jpg
Subpoenas – but this may be any host in domain

  • Data on online activities is increasingly of interest in civil and criminal cases

  • The only way to avoid subpoenas is to not have data

  • In the US, your files on your computer in your home have much greater legal protection that your files stored on a server on the network


Original idea behind p3p l.jpg

P3P: Introduction – but this may be any host in domain

Original Idea behind P3P

  • A framework for automated privacy discussions

    • Web sites disclose their privacy practices in standard machine-readable formats

    • Web browsers automatically retrieve P3P privacy policies and compare them to users’ privacy preferences

    • Sites and browsers can then negotiate about privacy terms


P3p history l.jpg

P3P: Introduction – but this may be any host in domain

P3P history

  • Idea discussed at November 1995 FTC meeting

  • Ad Hoc “Internet Privacy Working Group” convened to discuss the idea in Fall 1996

  • W3C began working on P3P in Summer 1997

    • Several working groups chartered with dozens of participants from industry, non-profits, academia, government

    • Numerous public working drafts issued, and feedback resulted in many changes

    • Early ideas about negotiation and agreement ultimately removed

    • Automatic data transfer added and then removed

    • Patent issue stalled progress, but ultimately became non-issue

  • P3P issued as official W3C Recommendation on April 16, 2002

    • http://www.w3.org/TR/P3P/


P3p1 0 a first step l.jpg

P3P: Introduction – but this may be any host in domain

P3P1.0 – A first step

  • Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format

    • Can be deployed using existing web servers

  • This will enable the development of tools that:

    • Provide snapshots of sites’ policies

    • Compare policies with user preferences

    • Alert and advise the user


The basics l.jpg

P3P: Introduction – but this may be any host in domain

The basics

  • P3P provides a standard XML format that web sites use to encode their privacy policies

  • Sites also provide XML “policy reference files” to indicate which policy applies to which part of the site

  • Sites can optionally provide a “compact policy” by configuring their servers to issue a special P3P header when cookies are set

  • No special server software required

  • User software to read P3P policies called a “P3P user agent”


What s in a p3p policy l.jpg

P3P: Enabling your web site – overview and options – but this may be any host in domain

What’s in a P3P policy?

  • Name and contact information for site

  • The kind of access provided

  • Mechanisms for resolving privacy disputes

  • The kinds of data collected

  • How collected data is used, and whether individuals can opt-in or opt-out of any of these uses

  • Whether/when data may be shared and whether there is opt-in or opt-out

  • Data retention policy


P3p xml encoding l.jpg

P3P version – but this may be any host in domain

Location ofhuman-readableprivacy policy

P3P policy name

Site’s nameandcontactinfo

Access disclosure

Human-readableexplanation

How data maybe used

Statement

Data recipients

Data retention policy

Types of data collected

P3P/XML encoding

<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1">

<POLICY discuri="http://p3pbook.com/privacy.html"

name="policy">

<ENTITY>

<DATA-GROUP>

<DATA

ref="#business.contact-info.online.email">[email protected]

</DATA>

<DATA

ref="#business.contact-info.online.uri">http://p3pbook.com/

</DATA>

<DATA ref="#business.name">Web Privacy With P3P</DATA>

</DATA-GROUP>

</ENTITY>

<ACCESS><nonident/></ACCESS>

<STATEMENT>

<CONSEQUENCE>We keep standard web server logs.</CONSEQUENCE>

<PURPOSE><admin/><current/><develop/></PURPOSE>

<RECIPIENT><ours/></RECIPIENT>

<RETENTION><indefinitely/></RETENTION>

<DATA-GROUP>

<DATA ref="#dynamic.clickstream"/>

<DATA ref="#dynamic.http"/>

</DATA-GROUP>

</STATEMENT>

</POLICY>

</POLICIES>


P3p1 0 spec defines l.jpg

P3P: Introduction – but this may be any host in domain

P3P1.0 Spec Defines

  • A standard vocabulary for describing set of uses, recipients, data categories, and other privacy disclosures

  • A standard schema for data a Web site may wish to collect (base data schema)

  • An XML format for expressing a privacy policy in a machine readable way

  • A means of associating privacy policies with Web pages or sites

  • A protocol for transporting P3P policies over HTTP


A simple http transaction l.jpg

P3P: Introduction – but this may be any host in domain

GET /index.html HTTP/1.1

Host: www.att.com

. . . Request web page

HTTP/1.1 200 OK

Content-Type: text/html

. . . Send web page

A simple HTTP transaction

WebServer


With p3p 1 0 added l.jpg

P3P: Introduction – but this may be any host in domain

GET /w3c/p3p.xml HTTP/1.1

Host: www.att.com

Request Policy Reference File

Send Policy Reference File

Request P3P Policy

Send P3P Policy

GET /index.html HTTP/1.1

Host: www.att.com

. . . Request web page

HTTP/1.1 200 OK

Content-Type: text/html

. . . Send web page

… with P3P 1.0 added

WebServer


Transparency l.jpg

P3P: Introduction – but this may be any host in domain

Transparency

  • P3P clients can check a privacy policy each time it changes

  • P3P clients can check privacy policies on all objects in a web page, including ads and invisible images

http://www.att.com/accessatt/

http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE


P3p in ie6 l.jpg

P3P: Introduction – but this may be any host in domain

P3P in IE6

Automatic processing of compact policies only;

third-party cookies without compact policies blocked by default

Privacy icon on status bar indicates that a cookie has been blocked – pop-up appears the first time the privacy icon appears


Slide33 l.jpg

P3P: Introduction – but this may be any host in domain

Users can click on privacy icon forlist of cookies; privacy summariesare available atsites that are P3P-enabled


Slide34 l.jpg

P3P: Introduction – but this may be any host in domain

Privacy summary report isgenerated automaticallyfrom full P3P policy


P3p in netscape 7 l.jpg

P3P: Introduction – but this may be any host in domain

P3P in Netscape 7

Preview version similar to IE6, focusing, on cookies; cookies without compact policies (both first-party and third-party) are “flagged” rather than blocked by default

Indicates flagged cookie


Slide36 l.jpg

P3P: Introduction – but this may be any host in domain

Users can view English translation of (part of) compact policy in Cookie Manager


Slide37 l.jpg

P3P: Introduction – but this may be any host in domain

A policy summary can be generated automatically from full P3P policy


At t privacy bird l.jpg

P3P: Introduction – but this may be any host in domain

AT&T Privacy Bird

  • Free download of beta from http://www.privacybird.com/

  • “Browser helper object” forIE 5.01/5.5/6.0

  • Reads P3P policies at all P3P-enabled sites automatically

  • Puts bird icon at top of browser window that changes to indicate whether site matches user’s privacy preferences

  • Clicking on bird icon gives more information

  • Current version is information only – no cookie blocking


Chirping bird is privacy indicator l.jpg

P3P: Introduction – but this may be any host in domain

Chirping bird is privacy indicator


Click on the bird for more info l.jpg

P3P: Introduction – but this may be any host in domain

Click on the bird for more info


Privacy policy summary mismatch l.jpg

P3P: Introduction – but this may be any host in domain

Privacy policy summary - mismatch


Users select warning conditions l.jpg

P3P: Introduction – but this may be any host in domain

Users select warning conditions


Bird checks policies for embedded content l.jpg

P3P: Introduction – but this may be any host in domain

Bird checks policies for embedded content


Why web sites adopt p3p l.jpg

P3P: Introduction – but this may be any host in domain

Why web sites adopt P3P

  • Demonstrate corporate leadership on privacy issues

    • Show customers they respect their privacy

    • Demonstrate to regulators that industry is taking voluntary steps to address consumer privacy concerns

  • Distinguish brand as privacy friendly

  • Prevent IE6 from blocking their cookies

  • Anticipation that consumers will soon come to expect P3P on all web sites

  • Individuals who run sites value personal privacy


P3p early adopters l.jpg

P3P: Introduction – but this may be any host in domain

P3P early adopters

  • News and information sites – CNET, About.com, BusinessWeek

  • Search engines – Yahoo, Lycos

  • Ad networks – DoubleClick, Avenue A

  • Telecom companies – AT&T

  • Financial institutions – Fidelity

  • Computer hardware and software vendors – IBM, Dell, Microsoft, McAfee

  • Retail stores – Fortunoff, Ritz Camera

  • Government agencies – FTC, Dept. of Commerce, Ontario Information and Privacy Commissioner

  • Non-profits - CDT


Impacts l.jpg

P3P: The future – but this may be any host in domain

Impacts

  • Somewhat early to evaluate P3P

  • Some companies that P3P-enable think about privacy in new ways and change their practices

    • Systematic assessment of privacy practices

    • Concrete disclosures – less wiggle room

    • Disclosures about areas previously not discussed in privacy policy

  • Hopefully we will see greater transparency, more informed consumers, and ultimately better privacy policies


Discussion questions l.jpg
Discussion questions – but this may be any host in domain

  • What elements are needed in order to facilitate a robust market for privacy of personal information?

  • How can P3P help realize such a market?


Homework discussion l.jpg
Homework discussion – but this may be any host in domain

  • Argue for or against placing privacy-related restrictions on public web cams.

  • P3P and privacy policies

    • What aspects of each privacy policy you liked and what aspects you did not like

    • Compare the experience of reading the privacy policies with using each P3P user agent

  • Pick one new-technology-related privacy concern that you believe to be particularly significant. Explain the privacy issue and why you think it is a significant concern. What might be done to mitigate the concern?


Degrees of anonymity l.jpg
Degrees of anonymity – but this may be any host in domain

Absolute privacy: adversary cannot observe communication

Beyond suspicion: no user is more suspicious than any other

Probable innocence: each user is more likely innocent than not

Possible innocence: nontrivial probability that user is innocent

Exposed (default on web): adversary learns responsible user

Provably exposed: adversary can prove your actions to others

More

Less


The anonymizer l.jpg

Request – but this may be any host in domain

Request

Reply

Reply

The Anonymizer

  • Acts as a proxy for users

  • Hides information from end servers

  • Sees all web traffic

  • Adds ads to pages (free service; subscription service also available)

    http://www.anonymizer.com

Anonymizer

Client

Server


Cryptography basics l.jpg
Cryptography Basics – but this may be any host in domain

  • Encryption algorithm

    • used to make content unreadable by all but the intended receivers

      E(plaintext,key) = ciphertext

      D(ciphertext,key) = plaintext

  • Symmetric (shared) key cryptography

    • A single key is used is used for E and D

      D( E(p,k1), k1 ) = p

  • Management of keys determines who has access to content

    • E.g., password encrypted email


Public key cryptography l.jpg
Public Key Cryptography – but this may be any host in domain

  • Public Key cryptography

    • Each key pair consists of a public and private component: k+ (public key), k- (private key)

      D( E(p, k+), k- ) = p

      D( E(p, k-), k+ ) = p

  • Public keys are distributed (typically) through public key certificates

    • Anyone can communicate secretly with you if they have your certificate

    • E.g., SSL-base web commerce


Mixes chaum81 l.jpg

msg – but this may be any host in domain

dest,msg

B,

C

kC

kB

kA

kC

dest,msg

C

kC

kB

dest,msg

kX = encrypted with public key of Mix X

Mixes [Chaum81]

Sender

Destination

Mix C

Mix A

Mix B

Sender routes message randomly through network

of “Mixes”, using layered public-key encryption.


Crowds l.jpg
Crowds – but this may be any host in domain

  • Users join a Crowd of other users

  • Web requests from the crowd cannot be linked to any individual

  • Protection from

    • end servers

    • other crowd members

    • system administrators

    • eavesdroppers

  • First system to hide data shadow on the web without trusting a central authority

    http://avirubin.com/cacm.pdf


Crowds56 l.jpg
Crowds – but this may be any host in domain

Crowd members

Web servers

3

1

6

5

5

1

2

6

3

2

4

4


Anonymous e mail l.jpg
Anonymous – but this may be any host in domainemail

  • Anonymous remailers allow people to send email anonymously

  • Similar to anonymous web proxies

    • Send mail to remailer, which strips out any identifying information (very controversial)

    • Johan (Julf) Helsingius ~ Penet

  • Some can be chained and work like mixes

    http://anon.efga.org/Remailers


ad