ECON 425563 CPSC 455555

1
Online Privacy

• ECON 425/563 // CPSC 455/555
• NOVEMBER 6, 2008

2
Outline

• Large amounts of sensitive information flow
  around the web.
• Privacy-enhancing technology has been developed
  and deployed (example P3P).
• Economic approaches to the management of private
  information
• (Acknowledgements L. Cranor, C. Lu, and H.
  Varian)

3
Online privacy in the comics!
February 25, 2000
Cathy
4
Why is Cathy concerned?
Cathy
March 1, 2000
5
How did Irving find this out?

• He snooped her email
• He looked at the files on her computer
• He observed the chatter sent by her browser
• He set cookies through banner ads and web bugs
  that allowed him to track her activities across
  web sites

6
What do browsers chatter about?

• Browsers chatter about
• IP address, domain name, organization,
• Referring page
• Platform O/S, browser
• What information is requested
• URLs and search terms
• Cookies

• To anyone who might be listening
• End servers
• System administrators
• Internet Service Providers
• Other third parties
• Advertising networks
• Anyone who might subpoena log files later

7
A typical HTTP request

• GET /retail/searchresults.asp?qubeer HTTP/1.0
• Referer http//www.us.buy.com/default.asp
• User-Agent Mozilla/4.75 en (X11 U NetBSD
  1.5_ALPHA i386)
• Host www.us.buy.com
• Accept image/gif, image/jpeg, image/pjpeg, /
• Accept-Language en
• Cookie buycountryus dcLocNameBasket
  dcCatID6773 dcLocID6773 dcAdbuybasket loc
  parentLocNameBasket parentLoc6773
  ShopperManager2FShopperManager2F66FUQULL0QBT8M
  MTVSC5MMNKBJFWDVH7 Store107 Category0

8
What about cookies?

• Cookies can be useful
• used like a staple to attach multiple parts of a
  form together
• used to identify you when you return to a web
  site so you dont have to remember a password
• used to help web sites understand how people use
  them
• Cookies can do unexpected things
• used to profile users and track their activities,
  especially across web sites

9
How do cookies work?

• A cookie stores a small string of characters
• A web site asks your browser to set a cookie
• Whenever you return to that site your browser
  sends the cookie back automatically
• Cookies are only sent back to the site that set
  them

Please store cookie xyzzy
Here is cookie xyzzy
browser
site
browser
site
First visit to site
Later visits
10
YOU
Ad companycan get yourname and address
frombook order andlink them to your search
11
Web bugs

• Invisible images embedded in web pages that
  cause cookies to be transferred
• Work just like banner ads from ad networks, but
  you cant see them unless you look at the code
  behind a web page
• Also embedded in HTML formatted email messages
• For more info on web bugs see http//www.privacyf
  oundation.org/education/webbug.html

12
Referer log problems

• GET methods result in values in URL
• These URLs are sent in the referer header to next
  host
• Example
• http//www.merchant.com/cgi_bin/order?nameTomJon
  esaddressheretherecreditcard234876923234PIN
  1234 -gt index.html

13
A Technological Approach

• The Platform for Privacy Preferences (P3P) is a
  standard, computer-readable format for privacy
  policies and a protocol allowing web browsers and
  other tools to read and process privacy policies
  automatically.

14
Who created P3P?

• World Wide Web Consortium (W3C) a nonprofit,
  industry-supported consortium including
  researchers and engineers from over 420
  institutions.
• Participants in the development of P3P came from
  around the world, including representatives from
  industry, government, nonprofit organizations,
  and academia.

15
Why was P3P created?

• To increase consumer trust.
• If the ability to spend is the fuel that
  propels the economic engine, then consumers
  trust and confidence in that engine is the
  lubricant.
• To protect privacy by allowing informed choice.
• Privacy is the ability of individuals to
  exercise control over the disclosure and
  subsequent uses of their personal information.
  Hence notice is fundamental to the individuals
  ability to protect his or her privacy.
• To make choice easy.
• Privacy policies are difficult and
  time-consuming to locate, to read, and to
  understand and they change frequently without
  notice.

16
How does P3P work? (1)

• User sets personal privacy preferences on a tool
  such as a browser.

17
How does P3P work? (2)

• 2. Browser requests privacy policy from a
  (P3P-compliant) Web site.
• 3. Browser compares the privacy policy with the
  users privacy preferences and acts accordingly.
  (Symbols, pop-up prompts, etc.)

18
P3P Policy Elements Include

• Who is collecting these data?
• What information is being collected?
• For what purpose?
• Which information is being shared with others?
• Who are these data recipients?
• Can users access their identified data?
• Can users make changes in how their data is used?
• What is the policy for retaining data?
• How are disputes resolved?

19
Purpose Specifications

• Completion and support of activity for which data
  was provided
• Web site and system administration
• Research and development
• One-time tailoring
• Pseudonymous decision or analysis
• Individual decision or analysis
• Contacting visitors for marketing of services or
  products
• Historical preservation
• Contacting visitors for marketing of services or
  products via telephone
• Other purpose

20
What P3P Accomplishes

• Makes privacy notices easy to locate and easy to
  understand.
• Allows users to specify their privacy preferences
  once so that they can be automatically compared
  to a web sites privacy policy.
• Assists users in making decisions about when to
  disclose personal information, how much, and to
  whom.

21
What P3P Does NOT Accomplish

• Does NOT replace privacy regulations.
• Can NOT protect the privacy of users in
  jurisdictions with insufficient data privacy
  laws.
• Can NOT ensure the companies or organizations
  follow their stated privacy policies.
• P3P does not protect privacy, in and of itself.
  It does, however, help create a framework for
  informed choice on the part of consumers. Any
  efficacy that P3P has is dependent upon the
  substantive privacy rules established through
  other processes be they a result of regulatory,
  self-regulatory, or public pressure.

22
Controversy over P3P

• In the context of proper legislation, P3P is
  the most promising solution to cyberspace
  privacy. It will make it easy for companies to
  explain their practices in a form that computers
  can read, and make it easy for consumers to
  express their preferences in a way that computers
  will automatically respect.
• Professor Lawrence Lessig, Stanford Law
  School.

23
Controversy over P3P

• P3P is
• a) Pretty Poor Privacy,
• b) a Pretext for Privacy Procrastination, and
• c) a tacit acceptance of the great increase in
  the tracking and monitoring of our minor
  activities that take place over the Web.
• Karen Coyle, Information Technology
  Specialist,
• University of California

24
Support for P3P

• Provides notice and consent
• Promotes transparency and accountability
• Intuitive
• Flexible and global
• Worthwhile process

25
Criticism of P3P

• Lack of enforcement
• Used as a procrastination tool
• Unclear legal consequences
• Importance of default settings
• Unable to maintain current experience
• Expensive to implement and maintain
• Overly broad and vague purpose specifications
• Ultimatum-style communication

26
More Criticism of P3P

• Consumer and business confusion
• Rejected by the European Union
• Lack of actual choice
• Assumes the need to gather information
• Does not address third-party data collection
• Lack of control over an irreversible choice

27
Basic Conflict

• What is the real problem?
• Lack of knowledge about how information will be
  used?
• OR
• The gathering of the data itself?

28
Universal Agreement

• Enforcement mechanisms are needed.
• A technical platform for privacy
  protectionmust be applied within the context of
  a framework of enforceable data protection rules,
  which provide a minimum and non-negotiable level
  of privacy protection for all individuals. Use
  of P3P in the absence of such a framework risks
  shifting the onus primarily onto the individual
  user to protect himself European Commission,
  1998.

29
Economic View of Privacy

• Non-adoption of P3P and other privacy-enhancing
  technologies is not due to technological flaws.
  It is due to economic incentives.
• Rational consumers want some of their personal
  information available to producers. They will
  experience more privacy (e.g., less intrusive
  marketing) and reduced search costs if their true
  preferences are known.

30
Complication Secondary Use

• Customers can benefit from collection and
  analysis of personal information by merchants
  with whom they transact directly.
• If that information is sold to a third party
  that does not know the customers, that third
  party will use it more clumsily and reimpose cost
  on the customers.
• The seller of this information has externalized
  these costs.

31
Privacy as a Property Right

• Data collectors can externalize the costs of
  secondary use because current law gives them
  property rights in the databases they construct.
• Alternative Vest the property rights in the
  data subjects, and compensate them for use of
  their data.
• Varian gives examples of how to structure
  information markets and set prices
  http//people.ischool.berkeley.edu/hal/Papers/pri
  vacy
• Opponents of this approach would rather ban
  sale of personal information altogether and
  establish a true right to privacy. Relying on
  property rights to control the dissemination and
  use of personal information ensures that only the
  rich will have privacy.